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Abstract. For many application-level distributed protocols and parallel algorithms, the 
set of participants, the number of messages or the interaction structure are only known 
at run-time. This paper proposes a dependent type theory for multiparty sessions which 
can statically guarantee type-safe, deadlock-free multiparty interactions among processes 
whose specifications are parameterised by indices. We use the primitive recursion operator 
from Godel's System T to express a wide range of communication patterns while keeping 
type checking decidable. To type individual distributed processes, a parameterised global 
type is projected onto a generic generator which represents a class of all possible end-point 
types. We prove the termination of the type-checking algorithm in the full system with 
both multiparty session types and recursive types. We illustrate our type theory through 
non-trivial programming and verification examples taken from parallel algorithms and web 
services usecases. 



As the momentum around communications-based computing grows, the need for effective 
frameworks to globally coordinate and structure the application-level interactions is pressing. 
The structures of interactions are naturally distilled as protocols. Each protocol describes 
a bare skeleton of how interactions should proceed, through e.g. sequencing, choices and 
repetitions. In the theory of multiparty session types [24j 13 H], such protocols can be 
captured as types for interactions, and type checking can statically ensure runtime safety 
and fidelity to a stipulated protocol. 

One of the particularly challenging aspects of protocol descriptions is the fact that 
many actual communication protocols are highly parametric in the sense that the number of 
participants and even the interaction structure itself are not fixed at design time. Examples 
include parallel algorithms such as the Fast Fourier Transform (run on any number of 
communication nodes depending on resource availability) and Web services such as business 
negotiation involving an arbitrary number of sellers and buyers. This nature is important, 
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for instance, for the programmer of a parallel algorithm where the size or shape of the 
communication topology, or the number of available threads might be altered depending on 
the number of available cores in the machine. Another scenario is web services where the 
participant sets may be known at design time, or instantiated later. This paper introduces a 
robust dependent type theory which can statically ensure communication-safe, deadlock-free 
process interactions which follow parameterised multiparty protocols. 

We illustrate the key ideas of our proposed parametric type structures through exam- 
ples. Let us first consider a simple protocol where participant Alice sends a message of 
type nat to participant Bob. To develop the code for this protocol, we start by specifying 
the global type, which can concisely and clearly describe a high-level protocol for multiple 
participants [Ml HI ED], as follows (end denotes protocol termination): 

d = Alice -)• Bob: (nat). end 
The flow of communication is indicated with the symbol — > and upon agreement on Gi as 
a specification for Alice and Bob, each program can be implemented separately, e.g. as 
y!(100) (output 100 to y) by Alice and yf(z); (input at y) by Bob. For type-checking, G\ is 
projected into end-point session types: one from Alice's point of view, ! (Bob, nat) (output 
to Bob with nat-type), and another from Bob's point of view, ?(Alice,nat) (input from 
Alice with nat-type), against which the respective Alice and Bob programs are checked to 
be compliant. 

The first step towards generalised type structures for multiparty sessions is to allow 
modular specifications of protocols using arbitrary compositions and repetitions of interac- 
tion units (this is a standard requirement in multiparty contracts [10]). Consider the type 
G2 = Bob — > Carol: (nat). end. The designer may wish to compose sequentially G\ and 
G2 together to build a larger protocol: 

G 3 = Gi;G 2 = Alice ->• Bob: (nat). Bob -> Carol: (nat). end 

We may also want to iterate the composed protocols n-times, which can be written by 
foreach(i < n){G*i;G2}, and moreover bind the number of iteration n by a dependent 
product to build a family of global specifications, as in (Tin binds variable n): 

Un.f oreach(? < n){G x ; G 2 } (1.1) 

Beyond enabling a variable number of exchanges between a fixed set of participants, the 
ability to parameterise participant identities can represent a wide class of the communication 
topologies found in the literature. For example, the use of indexed participants W[i] (denoting 
the i-th worker) allows the specification of a family of session types such that neither the 
number of participants nor message exchanges are known before the run-time instantiation 
of the parameters. The following type and diagram both describe a sequence of messages 
from W[n] to W[0] (indices decrease in our foreach, see § 2): 

IIn.(foreach(i < n){W[i + 1] -> W[i] : (nat)}) fiT| — H^-^T — ^ • • • — H~0~| (1.2) 



Here we face an immediate question: what is the underlying type structure for such parametri- 
sation, and how can we type- check each (parametric) end-point program? The type struc- 
ture should allow the projection of a parameterised global type to an end-point type before 
knowing the exact shape of the concrete topology. 

In (jl.ip . corresponding end-point types are parameterised families of session types. For 
example, Bob would be typed by IIj.foreach(z < j){?(Alice, nat); !(Carol, nat)}, which 
represents the product of session interactions with different lengths. The choice is made 
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when j is instantiated, i.e. before execution. The difficulty of the projection arises in (jl.2|) : 
if n > 2, there are three distinct communication patterns inhabiting this specification: the 
initiator W[n] (send only), the n — 1 middle workers (receive then send), and the last worker 
W[0] (receive only). This is no longer the case when n = 1 (there is only the initiator and the 
last worker) or when n = (no communication at all). Can we provide a decidable projection 
and static type-checking by which we can preserve the main properties of the session types 
such as progress and communication-safety in parameterised process topologies? The key 
technique proposed in this paper is a projection method from a dependent global type 
onto a generic end-point generator which exactly captures the interaction structures of 
parameterised end-points and which can represent the class of all possible end-point types. 
The main contributions of this paper follow: 

• A new expressive framework to globally specify and program a wide range of parametric 
communication protocols (§ [2]). We achieve this result by combining dependent type 
theories derived from Godel's System T [31] (for expressiveness) and indexed dependent 
types from [UJ (for parameter control), with multiparty session types. 

• Decidable and flexible projection methods based on a generic end-point generator and 
mergeability of branching types, enlarging the typability (§ 13. ip . 

• A dependent typing system that treats the full multiparty session types integrated with 
dependent types (§[3|). 

• Properties of the dependent typing system which include decidability of type-checking. 
The resulting static typing system also guarantees type-safety and deadlock-freedom 
(progress) for well-typed processes involved in parameterised multiparty communication 
protocols (§ 

• Applications featuring various process topologies (§ [21 § ED ; including the complex butterfly 
network of the parallel FFT algorithm (§ 12.61 § 15 . 5[) . As far as we know, this is the first 
time such a complex protocol is specified by a single type and that its implementation 
can be automatically type-checked to prove communication-safety and deadlock-freedom. 
We also extend the calculus with a new asynchronous primitive for session initialisation 
and apply it to web services usecases |37 (§ I5.6[) . 

Section [2] gives the definition of the parameterised types and processes, with their semantics. 
Section [3] describes the type system. The main properties of the type system are presented 
in Section 0J Section [5] shows typing examples. Section [6] concludes and discusses related 
work. 

This article is a full version expanded from [43J, with complete definitions and addi- 
tional results with detailed proofs. It includes more examples with detailed explanations 
and verifications, as well as expanded related work. Some additional material related to 
implementations and programming examples will be discussed in § [6J 

2. Types and processes for parameterised multiparty sessions 

2.1. Global types. Global types allow the description of the parameterised conversations 
of multiparty sessions as a type signature. Our type syntax integrates elements from three 
different theories: (1) global types from [3J; (2) dependent types with primitive recursive 
combinators based on [31] ; and (3) parameterised dependent types from a simplified De- 
pendent ml [mi]. 
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Figure 1: Global types 



R G Ai :/.Ax.G" — > G 

R G Xi:I.Xx.G' (n+1) —> G'{n/i}{R G Xi-.I.Xx.G' n/x} 
Figure 2: Global type reduction 



The grammar of global types (G, G' , ...) is given in Figure HJ Parameterised principals, 
written p,p',q, . . ., can be indexed by one or more parameters, e.g. Worker[5][i + l]. Index i 
ranges over index variables i,j,n, naturals n or arithmetic operations. A global interaction 
can be a message exchange (p — > p': (U).G), where p,p' denote the sending and receiving 
principals, U the payload type of the message and G the subsequent interaction. Payload 
types U are either value types S (which contain base type nat and session channel types (G)), 
or end-point types T (which correspond to the behaviour of one of the session participants 
and will be explained in § [3]) for delegation. Branching (p — > p': {Ik ■ Gk}keK) allows the 
session to follow one of the different Gk paths in the interaction (K is a ground and finite 
set of integers). fix.G is a recursive type where type variable x is guarded in the standard 
way (they only appear under some prefix) [35] , 

The main novelty is the primitive recursive operator R G Xi : I.Xx.G' from Godel's 
System T [21] whose reduction semantics is given in Figure [2j Its parameters are a global 
type G, an index variable i with range /, a type variable for recursion x and a recursion 
body G"Q When applied to an index i, its semantics corresponds to the repetition i-times 
of the body G' , with the index variable i value going down by one at each iteration, from 
i — 1 to 0. The final behaviour is given by G when the index reaches 0. The index sorts 
comprise the set of natural numbers and its restrictions by predicates (P,P', •■) that are, in 
our case, conjunctions of inequalities, op represents first-order indices operators (such as 
+, — , *,...). We often omit / and end in our examples. 

Using R, we define the product, composition, repetition and test operators as syntactic 
sugar (seen in § [[]) : 



ni:7.G=R end \i.Xx.G{i + 1/i} 
Gi;G 2 =R G 2 Ai.Ax.Gi{x/end} 1 



foreach(i <j){G} =R end Ai.Ax.G{x/end} j 
if j then Gi else G 2 =R G 2 Ai.Ax.Gi j 



where we assume that x is not free in G and Gi, and that the leaves of the syntax trees of 
G± and G are end. These definitions rely on a special substitution of each end by x (for ex- 
ample, p — > p'{/i:!(nat); end, ?2:end}{x/end} = p — » p'{Zi:!(nat);x, fox}). The composition 
operator (which we usually write ';') appends the execution of G2 to G\; the repetition 



^We distinguish recursion and primitive recursion in order to get decidability results, see § 14.11 



PARAMETERISED MULTIPARTY SESSION TYPES 



5 



(a) Ring Hra : I.(f oreach(i < n){W[n - i — 1] W[n - i] : (nat)}; 




w[n] -j>w[0]:(nat).end) 



(b) Multicast 



Alice 




IIn:/.f oreach(i < n){Alice W[n - 1 - i] : (nat)}; end 



(c) Mesh Iln.Iim. 

W[n][m]n-HD-^ ■ ■ ■ f oreach(i < n){ 



\y^y^- . . . -k!)v 



f oreach(j < m){ 

w[?: + l][j + l] ->w[£][j + l]:(nat). 
w[?: + i][j + l] ->w[i + i][7]:(nat)} ; 
W[t + 1][0] ->w[t][0]:<nat)}; 
foreach(fc < m){W[0][fc + l] -)• W[0][fc] : (nat)} 



]W[0][0] 

Figure 3: Parameterised multiparty protocol on a mesh topology 



operator above repeats G j-time^l; the boolean values are integers (false) and 1 (true). 
Similar syntactic sugar is defined for local types and processes. 

Note that composition and repetition do not necessarily impose sequentiality: only the 
order of the asynchronous messages and the possible dependencies |24j between receivers 
and subsequent senders controls the sequentiality. For example, a parallel version of the 
sequence example of (§ [T] (II. 2ft ) can be written in our syntax as follows: 

IIn.(f oreach(i < n){W[n - i] W[n - i - 1] : (nat)}) (2.1) 

where each worker W[j] sends asynchronously a value Vj to its next worker W[j — 1] without 
waiting for the message from W[j + 1] to arrive first (i.e. each choice of Vj is independent 
from the others). 



2.2. Examples of parameterised global types. We present some examples of global 
types that implement some communication patterns specific to typical network topologies 
found in classical parallel algorithms textbooks |27j . 

Ring - Figure [3](a). The ring pattern consists of n + 1 workers (named W[0], W[l],. . . ,W[n]) 
that each talks to its two neighbours: the worker W[i] communicates with the worker W[z — 1] 
and W[i + 1] (1 < i < n — 1), with the exception of W[0] and W[n] who share a direct link. 
The type specifies that the first message is sent by W[0] to W[l], and the last one is sent from 
W[n] back to W[0]. To ensure the presence of all three roles in the workers of this topology, 
the parameter domain I is set to n > 2. 



This version of foreach uses decreasing indices. One can write an increasing version, see § 12.21 
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p I Q 
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s:h 



Recursion 

Inaction 

Parallel 

Primitive recursion 
Process variable 
Application 
Session restriction 
Queues 



Figure 4: Syntax for user-defined and run-time processes 

Multicast - Figure 02(b). The multicast session consists of Alice sending a message to n 
workers W. The first message is thus sent from Alice to W[0], then to W[l], until W[n— 1]. Note 
that, while the index i bound by the iteration f oreach(i < n){Alice — > W[n — 1 — i] : (nat)} 
decreases from n — 1 to 0, the index n — 1 — i in W[n — 1 — i] increases from to n — 1. 

Mesh - Figure [3](c). The session presented in Figure [3{c) describes a particular protocol 
over a standard mesh topology |27j . In this two dimensional array of workers W, each worker 
receives messages from his left and top neighbours (if they exist) before sending messages 
to his right and bottom (if they exist). Our session takes two parameters n and m which 
represent the number of rows and the number of columns. Then we have two iterators that 
repeat W[i + 1] [j + 1] -)• W[i] [j + 1] : (nat) and W[i + 1] [j + 1] -4 W[i + 1] [j] : (nat) for all i and j. 
The communication flow goes from the top-left worker W[n][m] and converges towards the 
bottom-right worker W[0][0] in n + m steps of asynchronous message exchanges. 



2.3. Process syntax. The syntax of expressions and processes is given in Figure [H ex- 
tended from [3], adding the primitive recursion operator and a new request process. Iden- 
tifiers u can be variables x or channel names a. Values v are either channels a or natural 
numbers n. Expressions e are built out of indices i, values v , variables x, session end points 
(for delegation) and operations over expressions. Participants p can include indices which 
are substituted by values and evaluated during reductions (see the next subsection). In 
processes, sessions are asynchronously initiated by ufpo, ■■,Pn](y)-P- It spawns, for each of 
the {po, ■•jPn})!! a request that is accepted by the participant through u[p](y).P. Messages 
are sent by c!(p,e);P to the participant p and received by c?(q, x);P from the participant 
q. Selection c© (p, l);P, and branching c&(q, {1^ : Pk}keK)i allow a participant to choose 
a branch from those supported by another. Standard language constructs include recursive 
processes fiX.P, restriction (va)P and (vs)P, and parallel composition P \ Q. The prim- 
itive recursion operator R P Xi.XX.Q takes as parameters a process P, a function taking 

^Since the set of principals is parameterised, we allow some syntactic sugar to express ranges of partici- 
pants that depend on parameters. 
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[ZeroR] 
[SuccR] 
[Init] 
[Join] 
[Send] 
[Label] 
[Recv] 
[Branch] 
[App,Scop] 
[Par] 
[Str] 
[Context] 

Figure 5: Reduction rules 



£[-, . . . , _] ::= Evaluation contexts 

_ op e | v op _ Expression 

(P _) Application 

a [pi, ..,p„,_,p„ + i, ..,p m ](y).P Request 

a[_](y).P Accept 

| S [-]!(p,e);P | s[p]!(_,e);P | s[p]!<q, _); P Send 

| s[_] (p, l); P | s[p] (_, Z); P Selection 

s[_]?(p, x);P | s[p]?(_, x); P Receive 



[ s[_]&(p,{Z fc : P k } keK ) I s[p]&(_, {Z fc : Pjjkgic) Branching 
Figure 6: Evaluation contexts 

an index parameter i and a recursion variable X. A queue s : h stores the asynchronous 
messages in transit. 

An annotated P is the result of annotating P's bound names and variables by their 
types or ranges as in e.g. (va : (G))Q or s?(p, x : U);Q or R Q Xi : I.XX.Q'. We omit 
the annotations unless needed. We often omit and the participant p from the session 
primitives. Requests, session restriction and channel queues appear only at runtime, as 
explained below. 

2.4. Semantics. The semantics is defined by the reduction relation — > presented in Fig- 
ure [5j The standard definition of evaluation contexts (that allow e.g. W[3 + 1] to be reduced 
to W[4]) is in Figured The metavariables p, q, .. range over principal values (where all indices 
have been evaluated). Rules [ZeroR] and [SuccR] are standard and identical to their global 
type counterparts. Rule [Init] describes the initialisation of a session by its first participant 
a[po, ..,p n ](yo)-fb- R spawns asynchronous requests a[p&] : s that allow delayed acceptance 
by the other session participants (rule [Join]). After the connection, the participants share 
the private session name s, and the queue associated to s (which is initially empty by rule 
[Init]). The variables y p in each participant p are then replaced with the corresponding 



R P Xi.XX.Q — > P 
R P Xi.XX.Q n + 1 — > Q{n/i}{R P Xi.XX.Q n/X} 
a[p , ..,f> n ](y).P — ► (iss)(P{s[p ]/y} s : e a[pi] : s | ... | a[p n ] : s) 
a[pfc] : s | a[p k ](y k ).P k — > P k {s[p k ]/y k } 
s[p]'(q,w);P \s:h — >• P \ s : h ■ (p, q, v) 
s[p] 8(q,Z);P \ 8:h—>P\a:h- (p, q, I) 
s[p] ? (q> x);P \ s: (q, p, v) ■ h — > P{v/x} \s:h 
s[p]&(q, {l k : P k } keK ) | s : (q,p, l ko ) ■ h — > P ko \ s : h (k Q £ K) 
P — >P' =)> Pe — >P'e P — >P' {vr)P — > {vr)P' 

P^P' P\Q^P' \Q 

P = P' and P 1 — > Q' and Q = Q' =^> P — >Q 
e — > e' £[e] — ■> 5[e'] 
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session channel, s[p]. An equivalent, but symmetric, version of [Init] (where any participant 
can start the session, not only po) can be also used. Rule [Init] would then be replaced by 
the following: 

a[p , ..,p n ] — ► (vs)(s : e | a[p ] : s | ... a[p n ] : s) 
The rest of the session reductions are standard [UGI]. The output rules [Send] and [Label] 
push values, channels and labels into the queue of the session s. Rules [Recv] and [Branch] 
perform the complementary operations. Note that these operations check that the sender 
and receiver match. Processes are considered modulo structural equivalence, denoted by 
= (in particular, we note [iX.P = P{{aX.P/ X}), whose definition is found in Figure [3 
Besides the standard rules |29j . we have a rule for rearranging messages when the senders 
or the receivers are different, and a rule for the garbage-collection of unused and empty 
queues. 

P | = P P \Q = Q | P (P | Q) | R = P | (Q | R) iyrr') P = (vr'r) P 
(ur) = (us) s : e = (ur) P \Q = (ur) (P | Q) if r £ fn(Q) 
s ■ (q, p, z) ■ (q ; , p', z')-h = s: (q', p', z') ■ (q, f>,z)-h if p / p' or q ^ q' 

fiX.P = P{fiX.P/X} 
r ranges over a, s. z ranges over v, s[p] and I. 

Figure 7: Structural equivalence 

2.5. Processes for parameterised multiparty protocols. We give here the processes 
corresponding to the interactions described in §[T]and § 12.14 then introduce a parallel imple- 
mentation of the Fast Fourier Transform algorithm. There are various ways to implement 
end-point processes from a single global type, and we show one instance for each example 
below. 

Repetition. A concrete definition for the protocol (jl.ip in § 1 is: 

Iln.(R end Ai. Ax. Alice -s- Bob: (nat).Bob ->■ Carol: (nat).x n) 

Then Alice and Bob can be implemented with recursors as follows (we abbreviate Alice by 
a, Bob by b and Carol by c). 

Alice(n) = a[a, b, c](y).(R \i.\X.y](b, e[i]);X n) 

Bob(n) = a[b](y).(R Ai.AXy?(a, z); yl(c, z);X n) 

Carol(n) = a[c](y).(R Xi.XX.y?(p, z); X n) 

Alice repeatedly sends a message e[i] to Bob n-times. Then n can be bound by A- 
abstraction, allowing the user to dynamically assign the number of the repetitions. 

An.((^a)(Alice(n) | Bob(n) | Carol(r7,))) 1000 
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Sequence from § [T] (11.21) . The process below generates all participants using a recursor: 

IIn.(ifn = then 

else (R (S[W[n],. .,W[0]](y).y!<W[n -!],«>; 
| a[W[0]]( 2 /).y?(W[l],z);O) 

Ai.\X.(o[W[* + l]]( W ).tf?(W[t + 2],«); 1 /!(W[t] > «);0 | X) n - 1) 

When n = no message is exchanged. In the other case, the recursor creates the n — 1 
workers through the main loop and finishes by spawning the initial and final ones. 

As an illustration of the semantics, we show the reduction of the above process for 
n = 2. After several applications of the [SuccR] and [ZeroR] rules, we have: 

a[W[2],W[l],W[0]](y).y!(W[l],u);0 | a[W[0]](y).y?(W[l],z);0 | o[W[l]](»).y?(W[2], z); y!(W[0], z); 

which, with [Init], [Join], [Send], [Recv], gives: 

— > (us)(a : e | s[W[2]]!(W[l], v); | a[W[l]] : a | a[W[0]] : s | 

a[W[0]](y).y?(W[l],z);O | a[W[l]](y).y?(W[2], z); y!(W[0], z); 0) 
— > (i/s)(s : e | S [W[2]]!(W[l],v);0 | o[W[l]] : s \ 

S [W[0]]?(W[l],z);0 | a[W[l]](y).y?(W[2],z) ;2/ !(W[0],z);O) 
(ua)(a : e \ s[W[2]]!(W[l], v); | a[W[0]]?(W[l], z); | s[W[l]]?(W[2], z); s[W[l]]!(W[0], z); 0) 
^* M( S : e | S [W[0]]?(W[l],z);O | fl[W[l]]l(W[0], v); 0) 
>* = 

Ring - Figure [3](a). The process that generates all the roles using a recursor is as follows: 
En.(R o[W[0],...,W[n]](y).tf!<W[l],«);tf?(W[n],«);P 
o[W[n]](y).y?(W[n-l],«);y!<W[0],«);Q 

Ai.AX.(o[W[* + l]](|/).»?(W[t] ) «); W !(W[i + 2],«); | X) n - 1) 
We take the range of n to be n > 2. 

Mesh - Figure [3] (c). In this example, when n and m are bigger than 2, there are 9 distinct 
patterns of communication. 

We write below these processes. We assume the existence of a function f(zi,Z2,i,j) 
which computes from z\ and zi the value to be transmitted to W[i][j]. We then designates 
the processes based on their position in the mesh. The initiator W[n][m] is in the top-left 
corner of the mesh and is implemented by -Ptop-ieft • The workers that are living in the other 
corners are implemented by P t0 p-right for W[n][0], ^bottom-left for W[0][m] and Pbottom-right for 
the final worker W[0][0]. The processes Ptop; -Pieft> -Pbottom and P r i g ht respectively implement 
the workers from the top row, the leftmost column, the bottom row and the rightmost 
column. The workers that are in the central part of the mesh are played by the P C enter(h j) 
processes. 
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ftop-ieft(-2i, z 2 ,n,m) = a[W[n][m], W[0][0]](y).y!(W[n - l][m], f(z 1 , z 2 , n - l,m)); 

j/!(W[n][m - l],/(zi, z 2 ,rc,m- 1));0 
Ptop-right(2 2 , n) = a[W[n][0]](y).i/?(W[n][l], z x ); y!(W[n - 1][0], /(z 1? z 2 , n - 1, 0)); 

Pbottom-icft(^i, m) - a[W[0][m]](y).y?(W[l][m], z 2 ); y!(W[0][m - 1], /(zi, z 2 ,0, m - 1)); 
Pbottom-right(m) = a [W[0][0]]( 2 /).j/?(W[l][0],z 1 ); 2 /?(W[0][l],z 2 );O 

Pto P (^2, n, fc) = o[W[n][* + l]](y).j/?(W[n][fc + 2], 

y!(W[n - lp + 1], /(zi, z 2 , n - 1, fc + l));y!(W[n][fc], f(z 1; z 2 ,n, fc)); 
Pbottom(fc) =a[W[0][fc + l]](j/).y?(W[l][fc + l],z 1 );y?(W[0][fc + 2],z 2 ); 

2/!(W[0][fc],/(^^ 2) 0,fc)};0 
P loft (zi,m, i) = a[W[i + l][m]](y).y?(W[i + 2] [to], z 2 ); y!(W[i] [to], /(zi, z 2 , i, to)); 

y!(W[i + l][m - 1], f{z u z 2 , i + l,m- 1)); 
PrightW = o[W[i + l][0]](j/).y?(W[t + 2][0], zx); j/?(W[i + 1][1], z 2 ); 

I/!(W[i][0],/(2i,2a,i,0));0 
Pcenter(i,i) = o[W[i + l][j + 1]] (l/).y?(W[i + 2] [j + 1], a*); y?(W[i + l][j +2],z 2 ); 

y!<W[t][? + 1], /(«!, 22, i, j + 1)); |/!(W[* + 1M *2. * + 1, 
The complete implementation can be generated using the following process: 

IIn.nm.(R (R Ptop-leit(zi, Z 2 ,U, m)|Pbottom-ri g ht(ra) | Pop-right (^2, n)|Pbottom-left(^l, m)) 
\k.\Z.(P top (z 2 ,n, k)\P hott0 m(k)\Z) 

TO — 1) 

At.AX.(RP eft (zi,m,i)|P right (i)|X 

Aj.Ay.(p ccntcr (i,j)|y) 

m — 1) 

n-1) 



2.6. Fast Fourier Transform. We describe a parallel implementation of the Fast Fourier 
Transform algorithm (more precisely the radix-2 variant of the Cooley-Tukey algorithm |15|). 
We start by a quick reminder of the discrete fourier transform definition, followed by the 
description of an FFT algorithm that implements it over a butterfly network. We then give 
the corresponding global session type. From the diagram in (b) and the session type from 
(c), it is finally straightforward to implement the FFT as simple interacting processes. 

The Discrete Fourier Transform. The goal of the FFT is to compute the Discrete 
Fourier Transform (DFT) of a vector of complex numbers. Assume the input consists 
in N complex numbers x = xq, . . . ,xn-i that can be interpreted as the coefficients of a 
polynomial f(y) = J2f=o x jV''- The DFT transforms x in a vector X = Xq, . . . , Xn-i 
defined by: 

^ X k = f(co k N ) 

with ojtf = e l ~ one of the n-th primitive roots of unity. The DFT can be seen as a 
polynomial interpolation on the primitive roots of unity or as the application of the square 
matrix j to the vector x. 
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(c) Global type G = 
Yin. 

foreach(i < 2 n ){i i: (nat)}; 
f oreach(/ < n){ 
foreach(i < 2 l ){ 
foreach(j < 2 n ^^ 1 ){ 
i * 2 n ~ l 2 n ~ l + 2"-'- 1 + j -. (nat) 

i * 2 n ~ l + 2 n - ; - 1 + j -> i * 2 n - 1 + j ■ (nat) 
i * 2"-' + j i * 2 n ~ l + j ■. (nat) 
i * 2 n ~ l + 2"-'- 1 + j -> i * 2 n - 1 + T- 1 - 1 + j -. (nat)}}} 

(d) Processes P(n, p, Xp, y, r p ) = 

f oreach(7 < n){ 
if bit n _,(p) = 

then y?(p,x);y!(p + 2"-'- 1 ,a;); 

y?(p + 2 n - l -\z);y\(p,x + zoj 9 ^ ] ); 
else yl{ Vl x);yl{ V -2 n - l -\z)- 

y!(p-2"-'- 1 ,x);y!(p,z + x^' p) );}; 
y?(p,x);r p !(0,a;);0 
where g(l,p) = p mod 2 ! 



Figure 8: Fast Fourier Transform on a butterfly network topology 

FFT and the butterfly network. We present the radix-2 variant of the Cooley-Tukey 
algorithm |15j . It uses a divide-and-conquer strategy based on the following equation (we 
use the fact that uj^ = w^/ 2 ): 

v - jk 
A fc - l^j=0 x j UJ N 

jk k spN/2-1 jk 

Each of the two separate sums are DFT of half of the original vector members, separated 
into even and odd. Recursive calls can then divide the input set further based on the value 
of the next binary bits. The good complexity of this FFT algorithm comes from the lower 
periodicity of ujn/2'- we have uj n / 2 = °^n/2 anc ^ thus computations of and X k _ N / 2 
only differ by the multiplicative factor affecting one of the two recursive calls. 

Figure 0(a) illustrates this recursive principle, called butterfly, where two different inter- 
mediary values can be computed in constant time from the results of the same two recursive 
calls. 

The complete algorithm is illustrated by the diagram from Figure El^b). It features the 
application of the FFT on a network of TV = 2 3 machines on an hypercube network comput- 
ing the discrete Fourier transform of vector xq, . . . , xj. Each row represents a single machine 
at each step of the algorithm. Each edge represents a value sent to another machine. The 
dotted edges represent the particular messages that a machine sends to itself to remember a 
value for the next step. Each machine is successively involved in a butterfly with a machine 
whose number differs by only one bit. Note that the recursive partition over the value of a 
different bit at each step requires a particular bit-reversed ordering of the input vector: the 
machine number p initially receives Xp where p denotes the bit-reversal of p. 



(a) Butterfly pattern 
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Global Types. Figure [8(c) gives the global session type corresponding to the execution of 
the FFT. The size of the network is specified by the index parameter n: for a given n, 2 n 
machines compute the DFT of a vector of size 2 n . The first iterator f oreach(i < 2 n ){i — > 
i: (nat)}; concerns the initialisation: each of the machines sends the x p value to themselves. 
Then we have an iteration over variable I for the n successive steps of the algorithm. The 
iterators over variables i, j work in a more complex way: at each step, the algorithm applies 
the butterfly pattern between pairs of machines whose numbers differ by only one bit (at 
step I, bit number n — I is concerned). The iterators over variables i and j thus generate 
all the values of the other bits: for each I, i * 2 n ~ l + j and i * 2 n ~ l + 2 n ~ l ~ 1 + j range over 
all pairs of integers from 2 n — 1 to that differ on the (n — Z)th bit. The four repeated 
messages within the loops correspond to the four edges of the butterfly pattern. 

Processes. The processes that are run on each machine to execute the FFT algorithm 
are presented in Figure El^d). When p is the machine number, xp- the initial value, and 
y the session channel, the machine starts by sending Xp to itself: yl(xp). The main loop 
corresponds to the iteration over the n steps of the algorithm. At step I, each machine 
is involved in a butterfly corresponding to bit number n — I, i.e. whose number differs on 
the (n — Z)tli bit. In the process, we thus distinguish the two cases corresponding to each 
value of the (n — l)th bit (test on bit n _/(p)). In the two branches, we receive the previously 
computed value y?(x); .., then we send to and receive from the other machine (of number 
p + 2"-'- 1 or p - 2 n ~ l ~ 1 , i.e. whose (ra - Z)th bit was flipped). We finally compute the 
new value and send it to ourselves: respectively by i/!(a; + zw^ i ' I> '};l or t/!(z + j;wjf ,p ');I. 
Note that the two branches do not present the same order of send and receive as the global 
session type specifies that the diagonal up arrow of the butterfly comes first. At the end of 
the algorithm, the calculated values are sent to some external channels: r p !(0,x). 



3. Typing parameterised multiparty interactions 

This section introduces the type system, by which we can statically type parameterised 
global specifications. 



T :: 



End-point types 



!(P,C/);T 
?(p,C/);T 
©(Pi {h ■ Tkjkex) 

&(P) {Ik '■ Tk}k£K) 



Output 
Input 
Selection 
Branching 



R T Xi:I.\yi.T' 
x 

T i 
end 



Recursion 
Primitive recursion 
Type variable 
Application 
End 



Figure 9: End-point types 



3.1. End-point types and end-point projections. A global type is projected to an end- 
point type according to each participant's viewpoint. The syntax of end-point types is given 
in Figure M Output expresses the sending to p of a value or channel of type U, followed 
by the interactions T. Selection represents the transmission to p of a label Ik chosen in 
{h}keK followed by Tk- Input and branching are their dual counterparts. The other types 
are similar to their global versions. 
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End-point projection: a generic projection. The relation between end-point types 
and global types is formalised by the projection relation. Since the actual participant 
characteristics might only be determined at runtime, we cannot straightforwardly use the 
definition from [24\ S]. Instead, we rely on the expressive power of the primitive recursive 
operator: a generic end-point projection of G onto q, written G \ q, represents the family 
of all the possible end-point types that a principal q can satisfy at run-time. 

p^p':<C/).Gtq = if q=p=p'then !(p,[/);?<p,[/);G \q 

else if q=p then !(p', U);G \q 
else if q=p' then ?(p,£/);G \ q 
else G\ q 

p -> p' : {l k : G k } keK t q = if q=P then ®(p', {l k : G k \ q} keK ) 

else if q=p' then &(p, {l k : G k \ q} ke K) 
else u k£K G k \ q 

R G Xi:I.Xx.G'\ q = RGfq Xi:I.Xx.G' \ q 
(/xx.G) I" p = /ix.G r p 
xfp = X 

(Gi) r P = (Gr P )i 

end f p = end 

Figure 10: Projection of global types to end-point types 



The general endpoint generator is defined in Figure [10] using the derived condition 
construct if _ then _ else _. The projection p —¥ p': (U).G \ q leads to a case analysis: 
if the participant q is equal to p, then the end-point type of q is an output of type U to 
p'; if participant q is p' then q inputs U from p'; else we skip the prefix. The first case 
corresponds to the possibility for the sender and receiver to be identical. Projecting the 
branching global type is similarly defined, but for the operator U explained below. For the 
other cases (as well as for our derived operators), the projection is homomorphic. We also 
identify /ix.x as end (/ix.x is generated when a target participant is not included under the 
recursion, for example, p — > p': (U).fix.q — > q': (Z7).x \ p =! (p, U) ; /zx.x) and /UX.T as T if 
x ,-• ftViVj. 

Mergeability of branching types. We first recall the example from [24] , which explains 
that naive branching projection leads to inconsistent end-point types. 



W[0]-»W[1]: {ok : W[l] ->• W[2] : (bool), quit : W[l] ->■ W[2] : (nat)} 



We cannot project the above type onto W[2] because, while the branches behave dif- 
ferently, W[0] makes a choice without informing W[2] who thus cannot know the type of the 
expected value. A solution is to define projection only when the branches are identical, i.e. 
we change the above nat to bool in our example above. 

In our framework, this restriction is too strong since each branch may contain different 
parametric interaction patterns. To overcome this, below we propose a method called 
mergeability of branching types H 



The idea of mergeability is introduced informally in the tutorial paper [13] . 
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r h Env 

r h k 

r h a ► K 

r h a ee/3 



well-formed environments 
well-formed landings 
well-formed types 
type equivalence 



r h a « /3 
rhe[>[/ 

rhpt>[/ p 
r h Pt> t 



type isomorphism 
expression 
participant 
processes 



Figure 11: Judgements (a,/3, ... range over any types) 



Definition 3.1 (Mergeability) . The mergeability relation CO is the smallest congruence 
relation over end-point types such that: 



When T\ \x\ T2 is defined, we define the operation U as a partial commutative operator over 
two types such that T U T = T for all types and that: 



and homomorphic for other types (i.e. C[Ti] U CP2] = C[Ti U T2] where C is a context for 
local types). 

The mergeability relation states that two types are identical up to their branching 
types where only branches with distinct labels are allowed to be different. By this extended 
typing condition, we can modify our previous global type example to add ok and quit labels 
to notify W[2]. We get: 



Then W[2] can have the type &(W[1], {ok : (W[l],bool), quit : (W[l],nat)}) which could 
not be obtained through the original projection rule in \24\ |4"]. This projection is sound up 
to branching subtyping (it will be proved in Lemma 14.51 later). 

3.2. Type system (1): environments, judgements and kinding. This subsection 
introduces the environments and kinding systems. Because free indices appear both in 
terms (e.g. participants in session initialisation) and in types, the formal definition of what 
constitutes a valid term and a valid type are interdependent and both in turn require a 
careful definition of a valid global type. 

Environments. One of the main differences with previous session type systems is that 
session environments A can contain dependent process types. The grammar of environments, 
process types and kinds are given below. 

A ::= I A, c:T r ::= | T, P | T, u : S | T, % : I | T, X : r r ::= A | ffi:7.r 

A is the session environment which associates channels to session types. T is the standard 
environment which contains predicates and which associates variables to sort types, service 
names to global types, indices to index sets and process variables to session types, r is a 
process type which is either a session environment or a dependent type. We write T,u : S 
only if u £ dom(T) where dom(T) denotes the domain of T. We use the same convention 
for others. 



Vi £ (K n J).Ti mIJ Vke(K\ J), Vj.(J \ K).l k lj 



(p, {l k : T k } keK XI &(p, {lj : T-} je j) 



&<P, {h ■ T k } keK ) U &(p, {lj : rj} ieJ ) = 

&(p, {k : Tj U T(} ieKnJ U {l k : T k } keK \j U {lj : Tj} j£j \ K ) 



W[0] -> W[l] : {ok : W[l] -)> W[2] : {ok : W[l] ->• W[2](bool) }, 

quit : W[l] ->■ W[2] : {quit : W[l] -> W[2](nat)}}} 
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Judgements. Our type system uses the judgements listed in Figure [TTJ 

Following [41 j . we assume given in the typing rules two semantically defined judgements: 
r |= P (predicate P is a consequence of T) and V (= i : / (i : I follows from the assumptions 

ofr). 

We write T h J for arbitrary judgements and write T \- J,J' to stand for both T h J 
and r h J' . In addition, we use two additional judgements for the runtime systems (one 
for queues T hr g i s : h > A and one for runtime processes r P > A) which are similar 
with those in [3] and listed in the Appendix. We often omit X from r P > A if it is not 
important. 

Kinding. The definition of kinds is given below: 

k ::= Uj : I.k \ Type U p ::= nat | Ui:I.U p 

We inductively define well-formed types using a kind system. The judgement r h a ► k 
means type a has kind k. Kinds include proper types for global, value, principal, end-point 
and process types (denoted by Type), and the kind of type families, written by Hi: I.k. The 
kinding rules are defined in Figure Q3] and Figure [13] in this section and Figure [20] in the 
Appendix. The environment well-formedness rules are in Figure [12] 

The kinding rules for types, value types, principals, index sets and process types are 
listed in Figure [131 In [KMarJ in the value types, ftv(G) denotes a set of free type variables 
in G. The condition ftv(G) = means that shared channel types are always closed. Rule 
[KIndexJ forms the index sort which contains only natural number (by the condition < i). 
Other rules in Figure [13] and the rules in Figure [12] are standard. 

We next explain the global type kinding rules from Figure [HI The local type kinding 
in Figure [201 in Appendix is similar. 

Rule LKIOJ states that if both participants have nat-type, that the carried type U and 
the rest of the global type G' are kinded by Type, and that U does not contain any free 
type variables, then the resulting type is well-formed. This prevents these types from being 
dependent. The rule [KBraJ is similar, while rules [KRec.KTVarJ are standard. 

Dependent types are introduced when kinding recursors in [KRcrJ . In [KRcrJ , we 
need an updated index range for i in the premise T,i : I~ h G' ► Type since the index 
substitution uses the predecessor of i. We define I~ using the abbreviation [0..j] = {i : 
nat | % < j}: 

[0..0]- = and [0..i]~ = [0..i - 1] 
Note that the second argument (\i : I~ .Xx.G') is closed (i.e. it does not contain free type 
variables). We use [KAppJ for both index applications. Note that [KAppJ checks whether 
the argument i satisfies the index set /. Other rules are similarly understood including 
those for process types (noting A is a well-formed environment if it only contains types T 
of kind Type). 

3.3. Type system (2): type equivalence. Since our types include dependent types and 
recursors, we need a notion of type equivalence. We extend the standard method of [TJ 
§2] with the recursor. The rules are found in Figure [15] and applied following the order 
appeared in Figure [151 For example, [WfRecJ has a higher priority than [WfRecFJ . We 
only define the rules for G. The same set of rules can be applied to T and r. 

Rule [WfBaseJ is the main rule defining G\ = G2 and relies on the existence of a 
common weak head normal form for the two types. 
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r \= P r h S ► Type u dom{T) 

IENulJ IEPreJ IESortJ 

hEnv T,PhEnv r,u:5hEnv 

T h / i<£ dom(T) rhrM X dom{T) 
I EIndexJ I VEnvJ 

r,i:/hEnv r,X:rhEnv 
Figure 12: Well-formed environments 



Type 



ThEnv T,i:I\-K 
|KBaseJ LKSeqJ 

ThType T\-Ui:I.K 
Value Types 

r h G ► Type ftv(G) = r h Env r h Env 

L KMar J l kNat J L KBoOL J 

r h (G) ► Type r h nat ► Type r h bool ► Type 

Principals 

T h Env T,i:I \~ Up ► k 

L KPNat J |kprodJ 

r h nat ► Type r h U p ► Ui:I.K 

Index Sets 

ThEnv T,i:I\=P A < i 

IKINatI [KIIndexJ 

r h nat r h {i-.I I P a < i} 

Process Types 

T h Env T h A ► Type r h T ► Type 

[KPNulJ |KPChJ 



T h ► Type T h A, c : T ► Type 

r,i : 7 h r ► k 

L KPProd J 

r h m-.i.T ► m:7.K 

Figure 13: Kinding system for types, values, principals, index sets and process types 

Rules [WfIOJ and [WfBraJ say if subterms are equated and each type satisfies the 
kinding rule, then the resulting global types are equated. 

Rule [WfPRecJ says the two recursive types are equated only if the bodies are equated. 
Note that we do not check whether unfolded recursive types are equated or not. 

Rule [WfRVarJ and [WfEndJ are the base cases. 

Two recursors are equated if either (1) each global type subexpression is equated by = 
(rule [WfRecJ), or if not, (2) they reduce to the same normal forms when applied to a finite 
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r h p t> nat r h p' c> nat T \- G' ► Type r h U ► Type 

Lkioj 

rhp^p' :{U). G' ► Type 

rhpo nat, r h P ' > nat \JkeK,TV- G k ► Type 
[kbraJ 

r h p p' : {l k : G k }keK ► Type 

T h G ► k{0/j} r, i : I- h G' ► n{i + l/j} 

LKRcrJ 

r h R G \i:I~.\x.G' ► Hj:I.K 

r h G ► Type r h k r h Env 

LKRecJ [KVarJ LKEndJ 

r h ^x.G ► Type r h- x ► k r h end ► Type 

r h G ► IE :J.k rhi:I 

|K App J 

T h G i ► 

Figure 14: Kinding rules for global types 

number of indices (rule [WfRecFJ ) . Note that rule [WfRecJ has a higher priority than rule 
[WfRecFJ (since it is more efficient without reducing recursors). If R G\ \i: J.Ax.Gj = w f 
R G2 Xi : I.Ax.G" 2 is derived by applying [WfRecJ under finite /, then the same equation 
can be derived using [WfRecFJ. Thus, when the index range is finite, [WfRecJ subsumes 
[WfRecFJ. On the other hand, [WfRecJ can be used for infinite index sets. 

Similarly, [WfBaseJ is staged with [WfAppJ to ensure that the premise of [WfRecFJ 
always matches with [WfBaseJ , not with [WfAppJ (it avoids the infinite application of rules 
[WfRecFJ and [WfAppJ). A use of these rules are given in the examples later. Other rules 
are standard. 

Type equivalence with meta-logic reasoning. The set of rules in Figure [151 are designed 
with algorithmic checking in mind (see § 14. 2|) . In some examples, in order to type processes 
with types that are not syntactically close, it is interesting to extend the equivalence classes 
on types, at the price of the decidability of type checking. 

We propose in Figure [16] an additional equivalence rule that removes from rule [WfRecFJ 
the finiteness assumption on /. It allows to prove the equivalence of two recursor-based types 
if it is possible to prove meta-logically that they are extensionally equivalent. This technique 
can be used to type several of our examples (see § [5|) . 

3.4. Typing processes. We explain here (Figure [17]) the typing rules for the initial pro- 
cesses. Rules [TNat] and [TVapj] are standard. Judgement T h Env (defined in Figure [T2j) 
in the premise means that T is well-formed. For participants, we check their typing by 
[TId] and [TP] in a similar way as [41] . Rule [TPRec] deals with the changed index range 
within the recursor body. More precisely, we first check r's kind. Then we verify for the 
base case (j = 0) that P has type r{0/j}. Last, we check the more complex inductive case: 
Q should have type r{i + l/j} under the environment T, X:r{i/j} where r{i/j} of 
X means that X satisfies the predecessor's type (induction hypothesis). Rule [TApp] is the 
elimination rule for dependent types. 
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T h whnf(Gi) = wf whnf(G 2 ) 
IWfBaseI 

r h G x = g 2 

YhU x = U 2 T^G l = G 2 rhp^p':(^)A ► Type 



LWfIOJ 



n- P ->p':<i7i>.Gi = wf rhp^ P , :(f/ 2 ).G 2 

Vfc g K. T h G lk = G 2k r h p -> g: {/ fc : G jfc } fceA: ► Type (j = 1, 2) 
r h p — > q: : Gik}k&K =wf P ~ > q : {4 : G 2 k}k&K 



[WfBraJ 



r h d = G 2 r h Env r h Env 

[WfPRecJ [WfRVarJ [WfEndJ 



r h /ix.Gi = w f /j,x.G 2 r h x = w f x r h end = w f end 

ThGi = G 2 r,i:/hGi = G' 2 

I WfRecJ 

r h R Gi Xi : /.Ax.G; = wf R G 2 Xi: /.Ax.G 2 

T h Gi = G 2 

r h R Gi A^/.Ax.G; n = R G 2 Xi:I.Xx.G' 2 n T |= J = [0..m] l<n<m 
r h R Gi Xi:I.Xx.G[ = wf R G 2 Ai:/.Ax.G' 2 

rhGi= wf G 2 rj=ii:/ = i 2 :/ T h Gji, ► k (i = l,2) 



LWfRecFJ 



r h Giii = w f G 2 i 2 
Figure 15: Global (decidable) type equivalence rules 

T h Gi = G 2 

Vn G I.T h R Gi Az:J.Ax.Gi n = R G 2 Xi:I.Xx.G' 2 n 



[WfAppJ 



[WfRecExtJ 



T h R Gi Ai: J.Ax.Gi = R G 2 \i:I.\x.G' 2 
Figure 16: Meta-logical global type equivalence rule 

Rule [TEq] states that typing works up to type equivalence where = is defined in the 
previous subsection. Recursion [TRec] rule is standard. In rule [TVar], A ~ A' denotes 
the standard isomorphism rules for recursive types (i.e. we identify /ix.T and T{//x.T/x}), 
see Appendix IA.ll Note that we apply isomorphic rules only when recursive variables 
are introduced. This way, we can separate type isomorphism for recursive types and type 
equalities with recursors. 

Rule [TInit] types a session initialisation on shared channel u, binding channel y and 
requiring participants {po, ..,Pn}. The premise verifies that the type of y is the first projec- 
tion of the global type G of u and that the participants in G (denoted by pid(G)) can be 
semantically derived as {po,..,p n }- 

Rule [TAcc] allows to type the p-th participant to the session initiated on u. The typing 
rule checks that the type of y is the p-th projection of the global type G of u and that G 
is fully instantiated. The kind rule ensures that G is fully instantiated (i.e. G"s kind is 
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r |= < i op i' r h Env 

[TIOp] [TNat] 



r h i op i' > nat r h n [> nat 

r,i:/hEnv Thn T\-p>Ui:I.K T\=±:I 

[TVari] [tId] ; — [TP] 



[TPRec] 



r, i : I h i > nat r h Alice > k T h p[i] > k{±/i} 

T,i:I-,X-.T{i/j}\-Q>T{i + l/j} T\-P>T{0/j} T,j:I\-r^K 
T\-RPXi.XX.Q\>Uj:I.T 

T\- P\>t T^t = t' r\-P>Ui:I.r T\=±:I 
[TEol [TApp] 

r,I:ThP>r T,X:rhEnv r h r « r' 

[TRec] [TVar] 

T\-hX.P>t F,X :t\- X>t' 

rhn:(G) rhP> A,y : G fpo r h u : (G) T h P > A,y : G \ -p 

r h pi > nat r |= pid(G) = {p ..p n } r h P > nat r^ P e pid(G) 

[TInit] [TAcc] 

r H u\po, ..,p n ](y).P > A r I- u[p](y).P > A 

r h a : (G) r h p > nat r \= P e pid(G) 



r h a[p] : s > s[p] : G f p 



[TReq] 



The>5 ThP>A, c:T r, x : S h P > A, c : T 

[TOUT] [TIN] 



rh C !(p,e};P>A, C :!{p,S);T ' r h c?(p, x); P > A, c :?(p, S 1 ); T 

rhP>A,c:T rr-P>A,c:T,y :T' 

■ [TDeleg] [TRecepI 

T h c\(p,c')-P > A,c :\(p,T');T,c' : T' T h c?(p, y); P > A, c :?(p, T'>; T 

r h P > A, c : P, j (£K 

[TSel] 



r h c (p, Ij); P > A, c : 0(p, {Z fc : T k } keK ) 

Vfc e if, r h P fc > A, c : T fe 
r h c&(p, {Z fc : Pfcjfcgx) > A, c : &(p, {Z fc : T k } keK ) 



[TBha] 



r, a : (G) h P > A r h A A end only ThP>A T h Q \> A' 

[TNu] [TNull] ; [TPar] 

rh(z/a)P>A rhOt>A rr-P|Q>A,A' 

Figure 17: Initial expression and process typing 

Type). Rule [TReq] types the process that waits for an accept from a participant: its type 
corresponds to the end-point projection of G. 
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The next four rules are associate the input/output processes with the input/output 
types, and delegation input/output processes to session input/output types. Then the next 
two rules are branching/selection rules. 

Rule [TNull] checks that A is well-formed and only contains end-type for weakening 
(the condition A end only means Vc € dom(A).A(c) = end). Rule [TPar] puts in parallel 
two processes only if their sessions environments have disjoint domains. Other rules are 
standard. 

4. Properties of typing 

We study the two main properties of the typing system: one is the termination of type- 
checking and another is type-soundness. The proofs require a careful analysis due to the 
subtle interplay between dependent types, recursors, recursive types and branching types. 

4.1. Basic properties. We prove here a series of consistency lemmas concerning permu- 
tations and weakening. They are invariably deduced by induction on the derivations in the 
standard manner. 

We use the following additional notations: r C T' iff u : S £ T implies u : S € V and 
similarly for other mappings. In other words, r C V' means that V is a permutation of an 
extension of T. 

Lemma 4.1. 

(1) (Permutation and Weakening) Suppose T C T' and V h Env. Then T h J implies 

r'hj. 

(2) (Strengthening) T,u:U,T' h J and u fv(T', J) U fn(T', J). Then T, T' h J. Similarly 
for other mapping. 

(3) (Agreement) 

(a) r h J implies T h Env. 

(b) r h G ► K implies T h k. Similarly for other judgements. 

(c) r h G = G' implies Y h G ► k. Similarly for other judgements. 

(d) rhPOT implies V h r ► K. Similarly for other judgements. 

(4) ( Exchange ) 

(a) T,u:U,T' \- J and T h U = U' . Then T, u : U', F' h J. Similarly for other mappings. 

(b) r,i:I,T' h J and T \=i:I = i:T. Then T,i:T,T' h J. 

(c) r,P,T' h J and r |= P = P'. Then V, P', V h J. 

Proof. By induction on the derivations. We note that the proofs are done simultaneously. 
For the rules which use substitutions in the conclusion of the rule, such as [TApp] in Figure [T7\ 
we require to use the next substitution lemma simultaneously. We only show the most 
interesting case with a recursor. 

Proof of (3)(b). Case LKRcrJ: Suppose r h R G Xi : I~.Xx.G' ► II j : I.k is derived 
by LKRcrJ in Figure [141 We prove T h LTj : I.k. From r, i : I~ h G' ► n{i + 1/j} in the 
premise of LKRcrJ, we have T,i : I~ h k{i + 1/j} by inductive hypothesis. By definition of 
J - , this implies F, j : 7 h k. Now by LKSeqJ, we have T h nj:/.K, as desired. O 
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The following lemma which states that well-typedness is preserved by substitution of 
appropriate values for variables, is the key result underlying Subject Reduction. This also 
guarantees that the substitution for the index which affects to a shared environment and 
a type of a term, and the substitution for a process variable are always well-defined. Note 
that substitutions may change session types and environments in the index case. 
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Lemma 4.2 (Substitution lemma). 

(1) IfT,i: I,T' h s J andT (= n : /, i/ien T,(Y'{n/i}) h s J{n/i}. 

(2) //r,X : A h s P>r and T h Q : A , i/ien T h E > r. 

(3) //r,x:5h s P>A ar«irh?):S, then T ^ s P{v/x} > A. 

(4) //rh E P>A,y :T, faTh s P{s[f>]/y} > A, s[p] : T. 

Proof. By induction on the derivations. We prove the most interesting case: if T, i : I, T' hs 
P > r and r h n > nat with r |= n : J, then T, (r'{n/i}) h E P{n/i} > r{n/i} when the last 
applied rule is [TPRec]. Assume 

T,k : J,V h R P Xi.XX.Q > Djrl.r with T^n:J 



is derived from [TPRec]. This is derived by: 

r, * : j, r', » : r, x ■. T {i/j} h^r^ i/j} (4.i) 

r,fc : J,T' h Po r{0/j} (4.2) 

T,k: J,T',j:Ih- t ► k (4.3) 

From gUJ r,r'{n/fc}, z : J-{n/fc}, A" : r{i/i}{n/fc} h Q{n/k} > r{i + l/j}{n/k} (4.4) 

From (g2J T, r'{n/fc} h P{n/fc} > r{0/j}{n/fc} (4.5) 

From g3J r,r'{n/fc},j:/{n/fc} h r{n/fc} ► K {n/fc} (4.6) 

From dHD, (jMD and gSJ, by [TPRec], we obtain r,r'{n/A;} h(RP \i.\X.Q){n/k}> (lij : 
J.r){n/A;} as required. □ 

4.2. Termination of equality checking and type checking. This subsection proves 



the termination of the type-checking (we assume that we use the type equality rules in 
Figure fl5j) . Ensuring termination of type-checking with dependent types is not an easy 
task since type equivalences are often derived from term equivalences. We rely on the 
strong normalisation of System 7" [21] for the termination proof. 

Proposition 4.1 (Termination and confluence). The reduction relation — > on global and 
end-point types (i.e. G — > G' and T — > T' for closed types in Figure [2]) are strong 
normalising and confluent on well-formed kindings. More precisely, if T h G ► k, then 
there exists a unique term G' = whnf(G) such that G — >* G' -/—>. 

Proof. By strong normalisation of System T [21j. For the confluence, we first note that the 
reduction relation on global types defined in Figure [2] and on expressions with the first-order 
operators in the types is deterministic, i.e. if G — > Gi by rules in Figure [2j then G\ = Gi- 
Hence it is locally confluent, i.e. if G — > Gi (i = 1,2) then Gi — >* G' . Then we achieve 
the result by Newman's Lemma. The second clause is a direct consequence from the fact 
that — > coincides with the head reduction. □ 

Proving the termination of type equality checking requires a detailed analysis since the 
premises of the mathematical induction rules compare the two types whose syntactic sizes 
are larger than those of their conclusions. The size of the judgements are defined in Figure 
[TBI using the following functions from [lj § 2.4.3], taking rule [WfRecFJ in Figure [15] into 
account. 

(1) |G| is the size of the structure of G where we associate w 2 -valued weight to each judge- 
ment to represent a possible reduction to a weak head normal form. 
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Judgements w(-) w(T h G ± = G 2 ) = w(T h Gi = wf G 2 ) + 1 

w(T h Gi = wf G 2 ) = u • (/i*(Gi) + /i*(G 2 )) + ||Gi|| + ||G 2 || + 1 

Types | • | 

Value |nat| = 1, |(G) | = |G| + 1 

Global |p-)-p / :(l7).G|=2 + |l7| + |G| 

P -> p': {^fc : Cfclfce^l = 2 + £ fce x(l + 
/Ltx.G| = |G| + 2 |x| = |n| = [end = 1 
Gi| = |G| + 2 (fv(i) = 0) |Gi| = ||G||+2 (fv(i) + 0) 
R G Ai:/.Ax.G'| =4+ ||G|| + |G'| 
Local |!<p,[/);T| =3+|*7| + |T|, |?(p, [/}; T\ = 3 + |C/| + |T| 

0(p,Ofe :T fc } fceK )| = |&(p,{/ fc :T fc } fce ^)| = 2 + S fee ^(l + |T fe |) 
/ix.T| = |T| + 2, |x| = |n| = |end| = 1 
Ti| = |T| + 2 (fv(i) = 0) |Ti| = ||T||+2 (fv(i) ^ 0) 
R T Az:7.Ax.r'| = 4+ ||T|| + ||T'|| 



Principals 
Processes 
Types 1 1 • | 

Global 
Local 

Types 

Global 



Local 



Types n*(-) 

Global 
Local 



Ui:I.U p \ = 2 + \U P \ 

0| = 0, |A,c:T| = |A| + |T| + 1, |IE:J.t| = 2 + |r| 

|R G Ai:/.Ax.G'|[ = S ne/ |R G Ai:/.Ax.G'n| (/ finite) 
|R T Xi:I.Xx.T'\\ = S ne/ |R G Ai:/.Ax.G'n| (/ finite) 
Others are ||G|| = \G\. 



Mp^p':(C/).G) = ^(G) 

Mp -> P /; : G k } keK ) = Sj e7 /x*(Gj) 

/x(/xx.G) = /x*(G) 

/x(G i) = m + //*(G) 

/x(R G Xi-.I.Xx.G') = n*(G) + /x*(G') 

/x(x) = ^(end) = 

H(T i) = n + a**(T) 

/x(R T Xi:I.Xx.T') = fi*(T) + /x*(T') 

Others are similar to /u(G). 

M*(R G Ai:/.Ax.G') = S ne/ /x(R G Ai:/.Ax.G'n) 
fi*(R T Xi:I.Xx.T') = S ne// u(R T Ai: J.Ax.T'n) 
Others are /U*(G) = /u(G) and homomorphic. 



m and n denotes the upper bound on the length of any — > from G i and T i , respectively. 
Figure 18: Size of types and judgements and the upper bound of reductions with unfolding 
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(2) 1 1 G 1 1 is the size of the structure of G where unfolding of recursors with finite index sets 
is considered, taking [WfRecFJ in Figure [T5l into account. 

(3) //(G) denotes an upper bound on the length of any — > reduction sequence (see Figure[2]) 
starting from G and its subterms. 

(4) /i*(G) denotes an upper bound on the length of any — > reduction sequence (see Fig- 
ure [2]) starting from G and its subterms. It unfolds recursors with finite index sets. 

The definition of the size of judgement w(T h G\ = w f G2) follows [U § 2.4.3]. We use /t*(G) 
and ||G|| because of [WfRecFJ in Figure [T5l Note that |G| corresponds to /t(G), while 
||G|| corresponds to fJ>*(G). In /t*(G), we incorporate the number of reductions of unfolded 
recursors. Because the reduction of expressions strongly normalises, we choose the size of e 
to be 1 and the length of reductions of (closed) e is assumed to be 0. 

The termination of type equality checking then is proved by the following main lemma. 

Lemma 4.3 (Size of equality judgements). The weight of any premise of a rule is always 
less than the weight of the conclusion. 

Proof. Our proof is by induction on the length of reduction sequences and the size of terms. 

Case [WfBaseJ. The case whnf(Gi) = G\ and whnf(G 2 ) = G2 are obvious by definition. 
Hence we assume whnf(Gi) 7^ G\. Thus there exists at least one step reduction such that 
G\ — > G[. Hence by definition, /i*(whnf(Gj)) < /i*(Gj) {i = 1,2). Similarly we have 
||whnf(Gj)|| < by definition. Note that for any G, we have ||G|| < oo. Hence we have 

w(rh whnf(Gi) = wf whnf(G 2 )) 
= u • /i*(whnf(Gi)) + ||whnf(Gi)|| + w/i*(whnf(G 2 )) + ||whnf(G 2 )|| + 1 
< w • /i*(Gi) + HGill + w • ^(G 2 ) + ||G 2 || + 2 
= w(T h G x = G 2 ) 

Case [WfIOJ . Similar with [WfBraJ below. 

Case [WfBraJ. 

^keKw(T h G\k = G2k) 
= T, keK (w(T h Gik = w f G 2 k) + 1) 
= Z keK (u> ■ (/i*(G lfc ) + /i*(G 2fc )) + ||Gifc|| + ||G 2fc || + 2) 
= S feeK (w • (/i(Gifc) + fi(G 2k )) + \G lk \ + |G 2fc | + 2) 
< S fce ^(u; • (/i(Gi fc ) + n(G 2k )) + \G lk \ + \G 2k \ + 2) + 5 
= w(T h p -> q: {l k : Gi k } k( =K =wf P -> q : {h ■ G 2k } k< z K ) 

We note that G\ k and G 2k cannot be recursors since T h G{ k ► Type by the kinding rule, 
hence fi(Gi k ) = fi*(Gi k ) and \Gi k \ = \\Gi k \\ in the above third equation. 
Case [WfPRecJ . Similar with [WfBraJ above. 
Cases [WfRVarJ , [WfEndJ . By definition. 
Case [WfRecJ. The case I is infinite. 

w(rhGi = G 2 ) + w(T,i:IhG[ = G' 2 ) 
= w(rhGi =wf G2) + 1 + w(T, i:I \- G'i = G' 2 ) + 1 

= u ■ (fi*(G{) + u*{G 2 )) + HdH + ||G 2 || + 2 + u ■ (/x*(Gi) + u*(G' 2 )) + \\G[\\ + \\G' 2 \\ + 2 
< w • (M*(Gi) + /**(G a )) + ||Gi|| + ||G 2 || + 4 + u ■ (/x*(G' x ) + + ||Gi|| + ||G^|| + 4 + 1 

= w(T h R Gi \i:I.Xx.G[ = wf R G 2 Ai:/.Ax.G^) 
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The case I is finite. 

w(T h Gi = G 2 ) +w(l\i:/h G'j = G 2 ) 
= w • (jj*(Gi) + /x*(G a )) + | |d 1 1 + ||G 2 || + 2 + w • (/;*(<?!) + M*(G 2 )) + l|Gi|| + \\G' 2 \\ + 2 
< £ ne /(u> • (mi„ + M*(Cr„) + ™2n + M*(^ n ))) 

+S„ e/ ( W • (^(Gx) + M *(G 2 )) + ||Gi|| + ||G 2 || +4 + 2) 

+£„ G/ (w • (^(G;) + M *(G' 2 )) + ||Gi|| + ||G 2 || + 4 + 2) + 1 
= w(r h R Gi Ai:J.Ax.Gi = w f R G 2 Ai:/.Ax.G' 2 ) 

where we assume mj n is the length of the reduction sequence from R Gi Xi-.I.Xx.G^n (in 
Figure [2D, and RGj Xi: I.Ax.G< n ^* G^' n for all n G I. 

Case [WfRecFJ. Assume I = [0, . . . ,m]. 

iy(r h Gi = G 2 ) + Si< n < m w(r h R Gi Xi: /.Ax.Gin = R G 2 Ai : /.Ax.G' 2 n) 
= wM*(Gi) + ||Gi||+wAt*(Ga) + ||G 2 || + 2 

+£i< n < m (w(r HRGi A^/.Ax.G^n = wf R G 2 At : /.Ax.G' 2 n) + 1) 
= w ((mu - 1) +A**(G? 1 ) + (mai - 1) + ^(G^))) + ||Gi|| + ||G 2 || + 2 

+Si< n < m (w • (mir, + fJ,*(G'{ n ) + m 2n + M*(G 2 ' n ))) 

+S 1 < n < m (w • (^(Gi) + M *(G 2 )) + | |d 1 1 + ||G 2 || + 4 + 2) 

+Si< n < m (w (M*(Gi) +At*(G' 2 )) + + ||G 2 || + 4 + 2) 
< S ne/ (w • (mi„ + fj,*(G" n ) + m 2n + ^(G 2 'J)) 

+S ne/ (a; • Gu*(Gi) + M *(G 2 )) + ||Gi|| + ||G 2 || + 4 + 2) 

+S ne/ (a; • (^(Gi) + M*(G 2 )) + \\G[\\ + ||G 2 || + 4 + 2) + 1 
= w(T h R Gi Xi:I.Xx.G[ = wf R G 2 Ai:/.Ax.G 2 ) 

where we assume mj n is the length of the reduction sequence from R Gj Ai : J.Ax.G^ n (in 
Figure [2D, and R G Ai:/.Ax.G^ n ^* G'( a for all n G I. 

Case [WfAppJ First, since [WfAppJ has a lower priority than [WfBaseJ, we have Gjij -/—>. 
Hence /i*(Gjij) = /i*(Gj). We also note that: 

(1) If Gi is not recursor, then ||Gj|| = |Gj|; and 

(2) If Gj is a recursor, then ij contains free variables (since [WfAppJ has a lower priority 
than [WfBaseJ, if ij is closed, it reduces to m for some m), hence ||Gj = ||Gj|| + 2. 

There is no case such that Gj is a recursor and ij is some natural number n since, if so, we 
can apply [WfBaseJ. Thus, by (1,2), ||G, = ||Gj|| + 2. Hence we have: 

w(T h Gi = wf G 2 ) 
= cj • ( M *(Gi) + m*(G 2 )) + | Id 1 1 + ||G 2 || + 1 
< w(/i*(Gi) + ^(G 2 )) + ||Gi|| + ||G 2 ||+4 + l 
= w(T h Giii = wf G 2 i 2 ) 

as required. □ 

Proposition 4.2 (Termination for type equality checking). Assuming that proving 

the predicates T \= P appearing in type equality derivations is decidable, then type-equality 

checking of T h G = G' terminates. Similarly for other types. 

Proof. By Lemma [4.3l and termination of kinding and well- formed environment checking. □ 

We first formally define annotated processes which are processes with explicit type 
annotations for bound names and variables (see § I2.3() . 

P ::= u\po,..,Tp n ](y:T).P \ u\p](y:T).P | c?(p,x:T);P | (ua:(G))P 
| ixX-.t.P | R P Xi-.I.XX.Q | X T 
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Theorem 4.4 (Termination of type checking). Assuming that proving the predicates T \= P 
appearing in kinding, equality, projection and typing derivations is decidable, then type- 
checking of annotated process P , i.e. V h P D> terminates. 

Proof. First, it is straightforward to show that kinding checking, well- formed environment 
checking and projection are decidable as long as deciding the predicates T |= P appearing 
in the rules is possible. 

Secondly, we note that by the standard argument from indexed dependent types [T|I41]. 
for the dependent A-applications ([TApp] in Figure [T7|). we do not require equality of terms 
(i.e. we only need the equality of the indices by the semantic consequence judgements). 

Thirdly, by the result from [201 Corollary 2, page 217], the type isomorphic checking 
r ~ t' terminates so that the type isomorphic checking in [Tvar] in Figure [T7] (between r 
in the environment and t' of X T ') always terminates. 

Forth, it is known that type checking for annotated terms with session types terminates 
with sub typing [20j § 5.2] and multiparty session types [24"] . 

Hence the rest of the proof consists in eliminating the type equality rule [Teq] in order to 
make the rules syntax-directed. We include the type equality check into [TInit,TReq,TAcc] 
(between the global type and its projected session type), the input rules [TIn,TRecep] (be- 
tween the session type and the type annotating x), [TRec] (between the session type and 
the type annotating X), and [TRec] (between the session type and the type annotating X 
in r). We show the four syntax-directed rules. The first rule is the initialisation. 

Thu:(G) ThP[>A,y:T r h G [ p = T 

r h Pl > nat r |= pid(G) = { Po ..p n } 

[TInit] 

r h u[po, ..,p n ](y)-P o A 

Then it is straightforward to check r h u : (G) terminates. Checking T h P > A, y : T 
also terminates by inductive hypothesis. Checking T \- G \ P o = T terminates since the 
projection terminates and checking a = f3 (for any type a and f3) terminates by Lemma [4. 31 
Checking r h pi > nat terminates since the kinding checking terminates. Finally checking 
r |= pid(G) = {po.. Pn } terminates by assumption. 
The second rule is the session input. 

r h P > A,c : T,y : T' T h T = T' 

[TRecep] 

rhc?( P ,y:T );P[>A, C :?( P ,T , );T 

Then checking T h P[>A,c : T,y : T' terminates by inductive hypothesis and checking 
r h To = T' terminates by Lemma 14.31 

The third and forth rules are recursions. 

r,X:rhP>r' T h r = r' r,X:rhEnv r h r w r' r h r' = t 

[TRec] ; [TVar] 

rh/iI:r.Pt>r' T,X : t h X T 0> t 

In [TRec], we assume P ^ X (such a term is meaningless). Then [TRec] terminates by 
inductive hypothesis and Lemma [4.31 while [TVar] terminates by termination of isomorphic 
checking (as said above) and Lemma 14.31 

Other rules are similar, hence we conclude the proof. □ 
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To ensure the termination of T \= P, possible solutions include the restriction of predi- 
cates to linear equalities over natural numbers without multiplication (or to other decidable 
arithmetic subsets) or the restriction of indices to finite domains, cf. [41J. 

4.3. Type soundness and progress. 

The following lemma states that mergeability is sound with respect to the branching sub- 
typing <. By this, we can safely replace the third clause U^^Gk \ q of the branching case 
from the projection definition by Pl{T | Mk £ K.T < (G/% \ q)}. This allows us to prove 
subject reduction by including subsumption as done in [24] . 

Lemma 4.5 (Soundness of mergeability). Suppose G\ \ p txi G2 \ p and r h G,. Then there 
exists G such that G \ p = n{T | T < Gi \ p (i = 1, 2)} where n denotes the maximum 
element with respect to <. 

Proof. The only interesting case is when G\ \ p and G2 \ p take a form of the branching type. 
Suppose Gi = p' — > p : {l k : G'k}keK and G2 = p' — > p: {lj ■ G"j}j<zj with G\ \ p txi G2 \ p. 
Let G' fc r p = Tfc and G" f p = Tj. Then by the definition of X] in § 13. H we have 
Gi r P = (p', {** : T k } keK ) and G 2 f P = &<p', Oj : T^gj) with Vi € (if PI J).Tj M I| and 
VA: € (K\J),Vj £ (J\K).lk ^ lj. By the assumption and inductive hypothesis on T k tx Tj, 
we can set 

r = &(p',{l fc :3? , } <6j ) 

such that I = K U J; and (1) if i G if D J, then T/' = n T[\ (2) if i £ if, i J, then 
= T,; and (3) if % £ J, % g* if , then T 4 " = T/. Set Goi f P = ^T'- Then we can obtain 

G = p' -t p: {Zj : Goijie/ 

which satisfies G f p = n{T | T < Gj f p (i = 1,2)}, as desired. □ 

As session environments record channel states, they evolve when communications proceed. 

This can be formalised by introducing a notion of session environments reduction. These 

rules are formalised below modulo =. 

. { S [p] :!(q,£/);T, S [q] :?(p,C/);T'} => {s\p\ : T, s[q] : T'} 

. {s[p] :\(p,U);Up,U);T'} => {s\p] : T'} 

• {s[p} ■ 8(q,{/ fc : T fe } fceK )} => {s[p] : ®(q, lj); Tj} 

• MP) :®(qJ 3 );T, S [q\ : k(p,{l k : T k } keK )} {s[p] : T, s[q] : Tj} 

• AU A" =► A'U A" if A A'. 

The first rule corresponds to the reception of a value or channel by the participant q; the 
second rule formalises the reception of a value or channel sent by itself p; the third rule 
treats the case of the choice of label h while the forth rule propagate these choices to the 
receiver (participant q). 

For the subject reduction theorem, we need to define the coherence of the session envi- 
ronment A, which means that each end-point type is dual with other end-point types. 

Definition 4.3. A session environment A is coherent for the session s (notation co(A, s)) if 
s[p] : T £ A and T \ q 7^ end imply s[q] : T' £ A and T \ q XI T 1 \ p. A session environment 
A is coherent if it is coherent for all sessions which occur in it. 

The definitions for T f q and txi are defined in Appendix [Bl Intuitively, T \ q is a 
projection of T onto q which is similarly defined as G \ q; and T \ q M T' \ p means actions 
in T onto q and actions in T' onto p are dual (i.e. input matches output, and branching 
matches with selections, and vice versa). Note that two projections of a same global type are 
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always dual: let G a global type and p,q £ G with p / q. Then (G \ p) \ q ixi (G \ q) f p, 
i.e. session environments corresponding to global type are always coherent. 

Using the above notion we can state type preservation under reductions as follows: 

Theorem 4.6 (Subject Congruence and Reduction). 

(1) IfT h E P> A and P = P' , then V h s P' > A. 

(2) If r hs P > t and P — >* P' with r coherent, then T \—% P' > r' for some t' such that 
t =>* t' with t 1 coherent. 

Proof. We only list the crucial cases of the proof of subject reduction: the recursor (where 
mathematical induction is required), the initialisation, the input and the output. The proof 
of subject congruence is essentially as the same as that in \24\ [4]. Our proof for (2) works 
by induction on the length of the derivation P — >* P'. The base case is trivial. We then 
proceed by a case analysis on the first reduction step P — > P" — >* P'. We omit the hat 
from principal values and E for readability. 
Case [ZeroR]. Trivial. 

Case [SuccR]. Suppose that we have r h R P Xi.XX.Q n+lor and R P Xi.XX.Q n+1 — > 
Q{n/i}{R P Xi.XX.Q n/X}. Then there exists t 1 such that 

T,i:I-,X: r'{i/j} HQ> r'{i + 1/j} (4.7) 
rhPt>r'{0/i} (4.8) 
r h Uj:I.T ► Uj:I.K (4.9) 

with r = (Ilj :/.r')n + 1 = T'{n + 1/j} and T|=n +1:1. By Substitution Lemma (Lemma 
I3~2l ([!]))■ noting r^=n : J - , we have: T,X : r'{i/j}{n/i} h Q{n/i} > r'{i + l/j}{n/i}, which 
means that 

T, X : r'{n/j} h Q{n/i} > r> + 1/j} (4.10) 
Then we use an induction on n. 

Base Case n = 0: By applying Substitution Lemma (Lemma 14.21 ([2])) to ()4.10p with (|4.8p . 
we have T h Q{l/i}{P/X} t> r'{l/j}. 

Inductive Case n > 1; By the inductive hypothesis on n, we assume: V h R P Xi.XX.Q n> 
r'{n/j}. Then by applying Substitution Lemma (Lemma l4.2p to (I4.10P with this hypothesis, 
we obtain T h Q{n/i}{R P Xi.XX.Q n/X} > r'{n + 1/j}. 



Case [Init]. 

a[Po, ..,p n ](y)-P — >■ (vs)(P{s|po]M I s : 6 I a[pi] : s | ... | a[p n ] : s) 

We assume that T h-0 a[po, ..,p n ](y)-P>A. Inversion of [TInit] and [TSub] gives that A' < A 
and: 

Vi ^ 0, r h pi > nat (4.11) 

r h a : (G) (4.12) 

T h pid(C7) = { Po ..p„} (4.13) 

rhF>A',y:G rpo (4.14) 

From (|4T4j) and Lemma 03] O , r h P{.s[p ]/y} > A', s[p ] : G \ p (4.15) 

From Lemma l4TT1 (| 3a |) and LQInitJ , F \- s s : e > (4.16) 

From igUJ), (BUlI), (@H3J) and [TReq], Vi ^ 0, rhajpj :s>s[p,] : G [p, (4.17) 
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Then [TPar] on (|37T5]) . (ETToT) and (H~TT)) gives: 

r h P{s[po\/y} | a[pi] : s | ... | a[p n ] : s > A', s[p ] : G f p , s\p n ] : G \ p n 

From [GInitJ and [GParJ, we have: 

T h s P{s[p ]/y} | a[pi] : s | ... | a[p n ] : s | s : e > A', s[p ] : G f p , s[p n ] : G \ p n 

From Lemma [4.51 we know that co((s[po] : G [ po, s[p n ] : G f p„,),s). We can then use 
LGSResJ to get: 

T h (zAs)(P{s[p ]/y} | a[pi] : s | ... | a[p n ] : s | s : e) > A' 
We conclude from [TSub]. 
Case [Join]. 

a\p] : s | a\p](y).P — > P{s[p]/y} 
We assume that T h a[p] : s | a[p](y).P > A. Inversion of [TPar] and [TSub] gives that 
A = A',s[p] : T and : 

r h a[p] : s > s[p] : G [ p (4.18) 
T > G [ p (4.19) 
r h u[p](y).P [> A' (4.20) 
By inversion of [TAcc] from (pL"20j) r h P > A', y : G \ p (4.21) 
From (|4T2T1) and Lemma E2 @ , V h P{s[p]/y} A', s[p] : G f p (4.22) 
We conclude by [TSub] from ([3722]) and (|4Tl9|) . 
Case [Send]. 

s [q] ! (p, v ) ; P | s : /i — )■ P | s : /t • (q, p, v) 
By inductive hypothesis, V s[q]!(p, e);P | s : h > A with S = {s}. Since this is derived 
by [GPar], we have: 

rh S [q]!(p, U );P>A 1 (4.23) 
rh {s} s:/i>A 2 (4.24) 
where A = A2 * Ax- From (I4.23|) . we have 

A 1 =A' 1 , S [q]:!(p,5);r 

r h v : S (4.25) 
r h P> A[,s[q] : T. (4.26) 
Using LQSendJ on (j4.24j) and (14.251) we derive 

rh {s}S :/ l .(q,p ){ ;)>A 2 ;{ S [q]:!(p,5)}. (4.27) 
Using [GInitJ on ()4.26p we derive 

rh P>Ai,s[q] :T (4.28) 
and then using [GParJ on (|4.28j) and (|4.27[) . we conclude 

T h {s} P I s:h-(p,q,v)> (A 2 ; {s[q] : !(p, S)}) * (A' l7 s[q] : T). 
Note that (A 2 ; {s[q} : !(p, S)}) * (A^, s[q] : T)=A 2 * (A' ls s[q] : !(p, S);T). 
Case [Recv]. 

«[p] ? (q 5 x); P I s : (q, {p}, u) • /t — >■ P{w/x} | s : h 
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By inductive hypothesis, T hs s[p]?(q, x); P \ s : (q, {p}, v) ■ h > A with X = {s}. Since this 
is derived by [GPar], we have: 

rh S [p]?(q,x); J P>A 1 (4.29) 
rh w s: (q,v,v)-h>A 2 (4.30) 
where A = A2 * Ai. From (|4.29p we have 

Ai = A' 1)a [p] :?(q,S);T 

T,x: ShP>Ai,s[p] :T (4.31) 

From (|4.30p we have 

A 2 = { S [q]:!(p,y)}*A' 2 

T h {s} s : h > A' 2 (4.32) 

rHw:5'. (4.33) 

The coherence of A implies S = S' . From (|4.3ip and f|4.33[) . together with Substitution 
lemma, we obtain T h P{v/x} > A^, s[p] : T, which implies by rule [GInitJ 

Th 9 P{v/x}>A' 1 ,s[p]:T. (4.34) 

Using rule [GParJ on (|4.34|) and (|4.32|) we conclude 

r h {s} P{v/x} I a : h > A' 2 * (A' l5 s[p] : T). 

Note that ({ S [q] : !(p,5>} * A' 2 ) * (A' 1)S [p] :1{q,S);T) ^ A' 2 * (A' 1)S [p] : T). 

□ 

Note that communication safety |24t Theorem 5.5] and session fidelity [241 Corollary 5.6] 
are corollaries of the above theorem. 

A notable fact is, in the presence of the asynchronous initiation primitive, we can still 
obtain progress in a single multiparty session as in [241 Theorem 5.12], i.e. if a program P 
starts from one session, the reductions at session channels do not get a stuck. Formally 

(1) We say P is simple if P is typable and derived by V h* P > A where the session typing 
in the premise and the conclusion of each prefix rule is restricted to at most a singleton. 
More concretely, (1) we eliminate A from [tinit], [TAcc], [tout], [tin], [tsel] and [tbra], 
(2) we delete [tdeleg] and [trecep], (3) we restrict r and A in [tprec], [teq], [tApp], 
[trec] and [tvar] contain at most only one session typing, and (4) we set A = and A' 
contains at most only one session typing; or vice- versa in [tpar]. 

(2) We say P is well-linked when for each P — >* Q, whenever Q has an active prefix whose 
subject is a (free or bound) shared channels, then it is always reducible. This condition 
eliminates the element which can hinder progress is when interactions at shared channels 
cannot proceed. See [Ml § 5] more detailed definitions. 

The proof of the following theorem is essentially identical with [241 Theorem 5.12]. 

Theorem 4.7 (Progress). If P is well-linked and without any element from the runtime 
syntax and T h* P [> 0. Then for all P — >* Q, either Q = or Q — ► R for some R. 
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5. Typing examples 

In this section, we give examples of typing derivations for the protocols mentioned in § Q] 
and §EU 

5.1. Repetition example - § [1] (II. This example illustrates the repetition of a mes- 
sage pattern. The global type for this protocol is G(n) = foreach(i < n){Alice — > 
Bob: (nat).Bob — > Carol: (nat)}. Following the projection from Figure \W\ Alice's end- 
point projection of G{n) has the following form: 

G(n) [Alice = R end 

Ai.Ax.if Alice = Alice = Bob then (. . .) 

else if Alice = Alice then (!(Bob, nat); if Alice = Bob = Carol then . . .) 

else if Alice = Bob then . . . 
else . . . n 

For readability, we omit from our examples the impossible cases created by the projec- 
tion algorithm. The number of cases can be automatically trimmed to only keep the ones 
whose resolutions depend on free variables. 

In this case, the projection yields the following local type: 

G(n) \ Alice = R end Az.Ax.!(Bob, nat); x n 

Before typing, we first define some abbreviations: 

Alice(n) = a[Alice,Bob, Carol](y).(R \i.\X.y\{Bob, e[i]}; X n) 
A(n) = {y:(G(n) f Alice)} 
T = n: nat, a: (G(n)) 

Our goal is to prove the typing judgement 

T h Alice(n) t> 

We start from the leafs. 

T,i: r,X : A(i) h Env 

[TVar] 

T,i-.r,X: A(i)\-X>y: A(i) 

[TOut] 



F,i : r,X : A(i) h y!(Bob, e[i]}; X > y :!(Bob, nat); A(i) 
[TEq] 

r,i;r,X;A(i)hy\{Bob,e[i\);X>A(i + l) 

The [TEq] rule can be used because types A(i+1) andy i(Bob, nat); (Rend Aj.Ax.!(Bob, nat);x i) 
are equivalent: they have the same weak-head normal form (we use the rule [WfBaseJ). 
Since we have the trivial r h > A(0), we can apply the rules [TApp] and [TPRec]. 

T,i:I-,X: A(i) h y!(Bob, e[i\);X > A(i + 1) 

rhO> A(0) T,i:I\-A(i) ► k 

[TPRec] 

T h (R \i.\X.y\(Bob,e[i\);X) >Ui:I.A(i) 

[TApp] 



r h (R Xi.XX.y\(Bob,e[i\);X n) > A(n) 
We conclude with [TInit]. 

r h a : (G(n)) T h (R Ai.AXy!(Bob, e[i]);X n) > A(n) 



T h Alice(n) > ( 
Bob(n) and Carol(n) can be similarly typed. 



[TInit] 
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5.2. Sequence example - § Q] (11.2ft . The sequence example consists of n participants 
organised in the following way (when n > 2): the starter W[n] sends the first message, the 
final worker W[0] receives the final message and the middle workers first receive a message 
and then send another to the next worker. We write below the result of the projection for 
a participant W[p] (left) and the end-point type that naturally types the processes (right): 

R end Xi.Xx. 

if p = w[i + l] then !(w[i],nat);x if p = w[n] then !(w[n - 1], nat); else 

else if p = w[i] then ?(w[i + l],nat);x if p = w[0] then ?(w[l], nat) ;else 

else x if p = w[i] then ?(w[t + l],nat);!(W[t - 1], nat); 

n 

This example illustrates the main challenge faced by the type checking algorithm. In order 
to type this example, we need to prove the equivalence of these two types. For any concrete 
instantiation of p and n, the standard weak head normal form equivalence rule [WfBaseJ is 
sufficient. Proving the equivalence for all p and n requires either (a) to bound the domain / 
in which they live, and check all instantiations within this finite domain using rule [WfRecFJ ; 
or (b) to prove the equivalence through the meta- logic rule [WfRecExtJ . In case (a) , type 
checking terminates, while case (b) allows to prove stronger properties about a protocol's 
implementation. 



5.3. Ring - Figure G2(a). The typing of the ring pattern is similar to the one of the 
sequence. The projection of this global session type for W[p] gives the following local type: 

R (w[n] -)• w[0] : (nat). end) f W[p] 

Ai.Ax.if p = w[n — i — 1] then !(w[n - i],nat);x 

elseif p = W[n - i] then ?(w[n - i - l],nat);x 
elseif x n 

On the other hand, user processes can be easily type-checked with an end-point type 
of the following form: 

if p = w[0] then !(w[l],nat);?(W[n],nat); 
elseif p = V[n] then ?(w[n - 1], nat); !(W[0], nat); 
elseif 1 < i + 1 < n - 1 and p = V[i + 1] 
then ?(w[z],nat);!(w[z + 2],nat); 

Proving the equivalence between these types is similar as the one the sequence: we rely on 
rules [WfBaseJ and [WfRecFJ when the domain of n is bounded, or on the meta-logic rule 

[WfRecExtJ . 



5.4. Mesh pattern - Figure 02(b). The mesh example describes nine different participants 
behaviours (when n, m > 2). The participants in the first and last rows and columns, except 
the corners which have two neighbours, have three neighbours. The other participants have 
four neighbours. The specifications of the mesh are defined by the communication behaviour 
of each participant and by the links the participants have with their neighbours. The term 
below is the result of the projection of the global type for participant p 
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R (R end \ p Afc.Az.if p = W[0][jfe+ 1] then !(W[0p], nat);z 

elseif p = W[0p] then ?{w[0][fc + 1], nat); z 
else z )m 

Ai.Ax. 

(R (if p = w[i + l][0] then !(w[i][0],nat);x 

elseif p = w[z][0] then ?(w[z + l][0],nat);x 
else x ) 
Aj.Ay. 

if p = W[j + + 1] then l(v[i]\j + 1], nat); 

if p = w[i + l][j + l] then |(w[i + l][i],nat);y 
elseif p = w[i + l][j] then ?(w[i + l][j + 1], nat);y 
else y 

elseif p = w[«][3 + l] then ?(w[i + + 1], nat);y 
if p = w[i + l][j + l] then !(w[t + l][j],nat);y 
elseif p = w[i + l]|j'] then ?(w[i + l][j + 1], naf);y 
else y 

elseif p = W[« + l][j' + l] then !(w[i + nat);y 
elseif p = W[i + l][j] then ?(w[z + l][j + l],nat);y 
else y 

m ) 

n 

From Figure El^c), the user would design the end-point type as follows: 

if p = W[n][m]then !(W[ra- l][m], nat); !(W[ra][m - l],nat); 
elseif p = W[n][0] then ?(W[n][l], nat); !(W[n - l][0],nat); 
elseif p = w[0][m] then ?(W[l][m], nat); !(W[0][m - 1], nat); 
elseif p = w[0][0] then ?(w[l][0], nat); ?(w[0][l], nat); 
elseif l<fc + l<m-landp = W[n] [k + 1] 

then ?(W[n][fe + 2], nat); !{W[n - l][fc+ 1], nat); !(W[n][fc], nat); 
elseif l<fc + l<m-landp = W[0] [k + 1] 

then ?(W[l][fc + 1], nat); ?(w[0][fc + 2], nat); !(w[0][fc], nat); 
elseif 1 < i + 1 < n - 1 and p = W[i + 1] [m] 

then ?(W[i + 2][m],nat);!(W[i][m],nat);!{W[i+ l][m- l],nat); 
elseif 1 < « + 1 < n - 1 and p = W[i + 1][0] 

then ?(w[t + 2][0], nat); ?(w[i + l][l],nat>; !(w[i][0], nat); 
elseif 1 < i + 1 < n - 1 and 1 < j + 1 < m - 1 and p = W[j + + 1] 

then ?(W[» + 2] [3 + 1], nat); ?(W[i + + 2], nat); !<W[i]b' + 1], nat); !(W[t + nat); 

Each case denotes a different local behaviour in the mesh pattern. We present the 
following meta-logic proof of the typing equivalence through [WfRecExtJ in the two cases 
of the top-left corner and bottom row, in order to demonstrate how our system types the 
mesh session. The other cases are left to the reader. 

Let T[p][n][m] designate the first original type and X"[p][ra][m] the second type. To 
prove the type equivalence, we want to check that for all n, m > 2 and p, we have: 
(nn.Ilm.r[p]MH)nm — ►* T n , m iff (]Jn. Um.T'\p][n][m])vm T n , m /-h 

For p = W[n][m], which implements the top-left corner, the generator type reduces 
several steps and gives the end-point type !(W[n — 1] [m], nat); !(W[n] [m — f],nat);0, which 
is the same to the one returned in one step by the case analysis of the type built by the 
programmer. For p = W[0][/c+l], we analyse the case where 1 < fc+1 < m— f . The generator 
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type returns the end-point type ?(W[l][fc + 2], nat); ?(W[0] [k + 2], nat); !(W[0][fc], nat);.One can 
observe that the end-point type returned for p = W[0][fc + 1] in the type of the programmer 
is the same as the one returned by the generator. Similarly for all the other cases. 
By [TOut, TIn], we have: 

a : (G) b j/!(W[n - 1] [m], f[n - 1, m))\ j/!<W[n] [m - 1], f(n, m - 1)); > A, y : G \ p top . le ft 
a:(G)h y?(W[l][fc + l] )Zl ); tf?(W[0][fc + 2], z 2 ); y!(W[0][fc], /(0, fe)>; > A', y : G \ Pbottom 
where G [ p is obtained from the type above. 

5.5. FFT example - Figure [8J. We prove type-safety and deadlock-freedom for the FFT 
processes. Let P$t be the following process: 

Hn.(iya)(R a[p ..p 2 "-i](y).P(2" - 1, p , x^, y, r po ) 

A*.Ay.(o|p i+ i](»).P(t + l,p j +i,a^ Fr> |/ J rp <+1 ) | Y) 2" - 1) 

As we reasoned above, each P(n, p, Xp, y, r p ) is straightforwardly typable by an end-point 
type which can be proven to be equivalent with the one projected from the global type G 
from Figure [5(c). Automatically checking the equivalence for all n is not easy though: we 
need to rely on the finite domain restriction using [WfRecFJ or to rely on a meta-logic proof 
through [WfRecExtJ . The following theorem says once Pff t is applied to a natural number 
m, its evaluation always terminates with the answer at r p . 

Theorem 5.1 (Type safety and deadlock- freedom of FFT). For all m, b Pg t m D> 0; and 

if Pfft m — >* Q, then Q — >* (r !(0, X ) \ ... \ r 2 m_ 1 !(0, A 2 m_ 1 )) where the r p !(0, X p ) are 
the actions sending the final values X p on external channels r p . 

Proof. For the proof, we first show Pg t m is typable by a single, multiparty dependent 
session (except the answering channel at r p ). Then the result is immediate as a corollary 
of progress (Theorem I4.T|) . 

To prove that the processes are typable against the given global type, we start from the 
end-point projection. 

We assume index n to be a parameter as in Figure [BJ The main loop is an iteration over 
the n steps of the algorithm. Forgetting for now the content of the main loop, the generic 
projection for machine p has the following skeleton: 

ITn.(R (R end AZ.Ax.(. . .) n) 
Xk.Xu. 

if p = k then \(k, U); U); u else u) 

2" 

A simple induction gives us through [WfRecExtJ the equivalent type: 

nn.!(p, U); ?(p, U)\ (R end ALAx.(. . .) n) 2™ 
We now consider the inner loops. The generic projection gives: 
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(R x Xi.Xy. 
(R y Aj.Az. 

if p = i * 2"-' + 2"-'- 1 + j = i * 2 n ~ l + j then . . . 
else if p = i * 2 n ~ l + 2"-'- 1 + j then \{i * 2 n ~ l + j, [/);... 
else if p = i * 2 n -' + j then ?(i * 2 n ~ l + 2 n ~ 1 - 1 + j, [/);... 
else if . . . then . . . else . . . 

) 2"-'- 1 

An induction over p and some simple arithmetic over binary numbers gives us through 
[WfRecExtJ the only two branches that can be taken: 

if bit„_i(p) = 

then ?(p + 2 n - l -\ U)- !( P + 2 n - l -\ U); !(p, U); ?(p, U); x 
else !(p - 2"-'- 1 , U); ?(p - 2"-'- 1 , [/); !(p, U); ?(p, C/); x 

The first branch corresponds to the upper part of the butterfly while the second one corre- 
sponds to the lower part. For programming reasons (as seen in the processes, the natural 
implementation include sending a first initialisation message with the Xk value), we want 
to shift the self-receive ?(p, U); from the initialisation to the beginning of the loop iteration 
at the price of adding the last self-receive to the end: ?(p, U); end. The resulting equivalent 
type up to = is: 

nn.!(p,C/}; 

(R ?( P ,[/);end AZ.Ax. 
if bit n _*(p) = 

then ?(p, U); ?(p + 2*-'- 1 , U); !(p + 2 n ~ l ~\ U); !(p, U);x 

else ?(p, U); !(p - 2 n ~ l -\ U); ?(p - U); !(p, C/);x) n 

From this end-point type, it is straightforward to type and implement the processes defined 
in Figure E^d) in § 12.61 Hence we conclude the proof. □ 

5.6. Web Service. This section demonstrates the expressiveness of our type theory. We 
program and type a real-world Web service usecase: Quote Request (C-U-002) is the most 
complex scenario described in [37] , the public document authored by the W3C Choreography 
Description Language Working Group |40j . 

Quote Request usecase. The usecase is described below (as published in |37j). A buyer 
interacts with multiple suppliers who in turn interact with multiple manufacturers in order 
to obtain quotes for some goods or services. The steps of the interaction are: 

(1) A buyer requests a quote from a set of suppliers. All suppliers receive the request for 
quote and send requests for a bill of material items to their respective manufacturers. 

(2) The suppliers interact with their manufacturers to build their quotes for the buyer. The 
eventual quote is sent back to the buyer. 

(3) EITHER 

(a) The buyer agrees with one or more of the quotes and places the order or orders. 
OR 
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Supp[0] 




Manu[0] 






Supp[l] 




Manu[l] 


. X 




Supp[2] 




Manu[2] 



= Manu[0][0] 

= Manu[0][l] 
Manu[2][l] 

s Manu[l][2] 
Manu[2] [2] 



Figure 19: The Quote Request usecase (C-U-002) [37] 



(b) The buyer responds to one or more of the quotes by modifying and sending them 
back to the relevant suppliers. 
(4) EITHER 

(a) The suppliers respond to a modified quote by agreeing to it and sending a confir- 
mation message back to the buyer. OR 

(b) The supplier responds by modifying the quote and sending it back to the buyer 
and the buyer goes back to STEP 3. OR 

(c) The supplier responds to the buyer rejecting the modified quote. OR 

(d) The quotes from the manufacturers need to be renegotiated by the supplier. Go 
to STEP 2. 

The usecase, depicted in figure \19\ may seem simple, but it contains many challenges. The 
Requirements in Section 3.1.2.2 of |37j include: [R.1] the ability to repeat the same set of 
interactions between different parties using a single definition and to compose them; [R2] 
the number of participants may be bounded at design time or at runtime; and [R3] the 
ability to reference a global description from within a global description to support recursive 
behaviour as denoted in Step 4(b, d). The following works through a parameterised global 
type specification that satisfies these requirements. 

Modular programming using global types. We develop the specification of the usecase 
program modularly, starting from smaller global types. Here, Buyer stands for the buyer, 
Supp[i] for a supplier, and Manujj] for a manufacturer. Then we alias manufacturers by 
Manu[i][j] to identify that Manu[j] is connected to Supp[i] (so a single Manu[j] can have 
multiple aliases Manu[i'][j], see figure [T9j) . Then, using the idioms presented in § 1, Step 1 
is defined as: 

Gi = foreach(ii) {Buyer ->• Suppfi] : (Quote). end} 

For Step 2, we compose a nested loop and the subsequent action within the main loop (Jj 
gives all Manu[j] connected to Supp[i]): 

G2 = foreach(i : I){G2[i], Suppfi] — > Buyer: (Quote). end} 
Ga[i] = f oreach(j : Jj){ Supp[i] -> Manu[i][j] : (Item). 

Manu[i][j] -> Supp[i]: (Quote). end} 



Gi [i] represents the second loop between the i-th supplier and its manufacturers. Regarding 
Step 3, the specification involves buyer preference for certain suppliers. Since this can be 
encoded using dependent types (like the encoding of if), we omit this part and assume the 
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preference is given by the (reverse) ordering of I in order to focus on the description of the 
interaction structure. 

G3 = R t Xi. Ay. Buyer -4 Supp[i] : { 
ok : end 

modify : Buyer — > Supp[i] : (Quote) 

Supp[i] — > Buyer : { ok : end 
retryStep3 : y 
reject : end}} i 

In the innermost branch, ok, retryStep3 and reject correspond to Step 4(a), (b) and (c) 
respectively. Type variable t is for (d). We can now compose all these subprotocols together. 
Taking G23 = \1t.G2, G3 and assuming / = [0..i], the full global type is 

AiAJ.Gi,G 23 

where we have i suppliers, and J gives the Jj (continuous) index sets of the Manu[j]s con- 
nected with each Supp[i]. 

End-point types. We show the end-point type for suppliers, who engage in the most complex 
interaction structures among the participants. The projections corresponding to G± and G2 
are straightforward: 

d \ Supp[n] =?(Buyer, Quote) 

G 2 \ Supp[n] = foreach(j : Jj){!(Manu[n][j], Item); 

?(Manu[n][j], Quote)}; ! (Buyer, Quote) 

For G3 \ Supp[n], we use the branching injection and mergeability theory developed in § 13.11 
After the relevant application of LTEqJ, we can obtain the following projection: 

&(Buyer, { ok: end 

modify : ?(Buyer, Quote); © (Buyer, { 

ok : end 
retryStep3 : T 
reject : end})}) 

where T is a type for the invocation from Buyer: 

if n < i then &(Buyer, {closed : end, retryStep3 : t}) 
elseif i = n then t 

To tell the other suppliers whether the loop is being reiterated or if it is finished, we can 
simply insert the following closing notification foreach(j/ \ i) {Buyer — >■ Supp[j] : {close :}} 
before each end, and a similar retry notification (with label retryStep3) before t. Finally, 
each end-point type is formed by the following composition: 

d rSupp[n] )A tt.G 2 rsupp[n], G 3 \ Supp[n]) 

Following this specification, the projections can be implemented in various end-point lan- 
guages (such as CDL or BPEL). 
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6. Conclusion and related work 

This paper studies a parameterised multiparty session type theory which combines three 
well-known theories: indexed dependent types [3T] . dependent types with recursors [31] 
and multiparty session types [U [23]. The resulting typing system is decidable (under an 
appropriate assumption about the index arithmetic). It offers great expressive power for 
describing complex communication topologies and guarantees safety properties of processes 
running under such topologies. We have explored the impact of parameterised type struc- 
tures for communications through implementations of the above web service usecases and of 
several parallel algorithms in Java and C with session types |26[ I25j. including the N-body 
(with a ring topology), the Jacobi method (with sequence and mesh topologies) and the 
FFT |33[ I32j. We observe (1) a clear coordination of the communication behaviour of each 
party with the construction of the whole multiparty protocol, thus reducing programming 
errors and ensuring deadlock-freedom; and (2) a performance benefit against the original 
binary session version, reducing the overhead of multiple binary session establishments (see 
also [331 132] ). Full implementation and integration of our theory into |26[ [5l [25] is on-going 
work. 

6.1. Related work. We focus on the works on dependent types and other typed process 
calculi which are related to multiparty session types; for further comparisons of session 
types with other service-oriented calculi and behaviour typing systems, see [19] for a wide 
ranging survey of the related literature. 

Dependent types. The first use of primitive recursive functionals for dependent types 
is in Nelson's T n [31] for the A-calculus, which is a finite representation of 7~°° by Tait 
and Martin Lof [391 28J . T w can type functions previously untypable in ML, and the 
finite represent ability of dependent types makes it possible to have a type-reconstruction 
algorithm. We also use the ideas from DML's dependent typing system in [41 [ [1] where 
type dependency is only allowed for index sorts, so that type-checking can be reduced 
to a constraint-solving problem over indices. Our design choice to combine both systems 
gives (1) the simplest formulation of sequences of global and end-point types and processes 
described by the primitive recursor; (2) a precise specification for parameters appearing in 
the participants based on index sorts; and (3) a clear integration with the full session types 
and general recursion, whilst ensuring decidability of type-checking (if the constraint-solving 
problem is decidable). From the basis of these works, our type equivalence does not have 
to rely on behavioural equivalence between processes, but only on the strongly normalising 
types represented by recursors. 

Dependent types have been also studied in the context of process calculi, where the 
dependency centres on locations (e.g. [22]), and channels (e.g. [42]) for mobile agents or 
higher-order processes. An effect-based session typing system for corresponding assertions 
to specify fine-grained communication specifications is studied in [8j where effects can appear 
both in types and processes. None of these works investigate families of global specifications 
using dependent types. Our main typing rules require a careful treatment for type soundness 
not found in the previous works, due to the simultaneous instantiation of terms and indices 
by the recursor, with reasoning by mathematical induction (note that type soundness was 
left open in [3T]). 
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Types and contracts for multiparty interactions. The first papers on multiparty ses- 
sion types were [7] and [21] • The former uses a distributed calculus where each channel 
connects a master end-point to one or more slave endpoints; instead of global types, they 
use only local types. Since the first work [23] was proposed, this theory has been used in 
the different contexts such as distributed protocol implementation and optimisation [38] . 
security [5j [10] , design by contract [6] , parallel algorithms [33j E2] , web services [33] , mul- 
ticore programming [33], an advanced progress guarantee [3], messaging optimisation [30] . 
structured exceptions [11] , buffer and channel size analysis for multiparty interactions [16] . 
medical guidelines [33] and communicating automata [18] , some of which initiated industrial 
collaborations, cf. [23]. Our typing system can be smoothly integrated with other works 
as no changes to the runtime typing components have been made while expressiveness has 
been greatly improved. 

The work [T2] presented an executable global processes for web interactions based on 
binary session types. Our work provides flexible, programmable global descriptions as types, 
offering a progress for parameterised multiparty session, which is not ensured in |12| . 

The work [3] provides a programming idiom of roles, defining different classes of partic- 
ipants, and a different type system for parameterised session types. There is no investiga- 
tion of the system expressivity for the 3D-Mesh pattern as we have presented in this paper 
through the Fast Fourier Transformation example. The static type system follows the typ- 
ing strategy and programming methodology of multiparty session types: programmers first 
define the global type of the intended pattern and then define each of the roles; the roles are 
then validated through projection of the global type onto the principals by type-checking. 

Recent formalisms for typing multiparty interactions include [141 [9] . These works treat 
different aspects of dynamic session structures. Contracts |14j can type more processes than 
session types, thanks to the flexibility of process syntax for describing protocols. However, 
typable processes themselves in [13] may not always satisfy the properties of session types 
such as progress: it is proved later by checking whether the type meets a certain form. 
Hence proving progress with contracts effectively requires an exploration of all possible 
paths (interleaving, choices) of a protocol. The most complex example of p~3] § 3] (a group 
key agreement protocol from [2]), which is typed as 7r-processes with delegations, can be 
specified and articulated by a single parameterised global session type as: 

Iln: J.(f oreach(i < n){W[n - i] -> W[n - i + 1] : (nat)}; 

f oreach(i < n){W[n - i] -> W[n + 1] : (nat).W[n + 1] -> W[n - i] : (nat)}) 

Once the end-point process conforms to this specification, we can automatically guarantee 
communication safety and progress. 

Conversation Calculus |9| supports the dynamic joining and leaving of participants. We 
also introduced a dynamic role-based multiparty session type discipline in previous work 
|17j . where an arbitrary number of participants can interact in a running session via a 
universal polling operator. This work was extended with simple relations between roles 
in [36] to dynamically handle the complex topologies presented in this paper. Although 
the formalism in § 12.41 can operationally capture some dynamic features, the aim of the 
present work is not the type-abstraction of dynamic interaction patterns. Our purpose is 
to capture, in a single type description, a family of protocols over arbitrary numbers of 
participants, to be instantiated at runtime. Parameterisation gives freedom not possible 
with previous session types: once typed, a parametric process is ensured that its arbitrary 
well-typed instantiations, in terms of both topologies and process behaviours, satisfy the 
safety and progress properties of typed processes, without the cost of complex runtime 
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support (as in [17]). Parameterisation, composition and repetition are common idioms in 
parallel algorithms and choreographic/conversational interactions, all of which are uniformly 
treatable in our dependent type theory. Here types offer a rigorous structuring principle 
which can economically abstract rich interaction structures, including parameterised ones. 
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Appendix A. Kinding and typing rules 

In this Appendix section, we give the definitions of kinding rules and typing rules that were 
omitted in the main sections. 

A.l. Kinding and subtyping. Figure [201 defines the kinding rules for local types. Fig- 
ure [2TJ presents the subtyping rules which are used for typing runtime processes. The rules 
for the type isomorphism can be given by replacing < by ~. 
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ThT <T' r h T <T' 

I TSubOutJ I TSubInJ 

r H(p, U)-T <!(p, U);T> r h?(p, U);T <?(p, U)-T' 

VkeK C J, Y^T k <T' k 

|TSSel<J 



r h e( P , : T fc } fcei ^) < e(p, {ij : T'}, eJ ) 

\fk£jCK, T \- T k <T k 
T h &(p, {/ fc : T k } k&K ) < &<p, : V;}, ./ 

r h Ti < T 2 r,i:/hTj<T^ 



[TBra< 



- I TSubPRecJ 
r h R Ti At : I.Ax.Ti < R T 2 Xi : I.Ax.T^ 

r h r{ / ux.r/x} < r' rhT'< r{ / ux.r/x} 

I TLSubRecJ ITRSubRecJ 

r h mx.T < T' r h T' < ixx.T 

T \- T <T' r^i:/=i / :J 



T h T i < T' i' 



[TSubProjJ 



r h Env r h Env 

|TSubEndJ LTSubRVarJ 



r h end < end r h x < x 

Figure 21: Subtyping 

Appendix B. Typing system for runtime processes 

This appendix defines a typing system for runtime processes (which contain queues). Most 
of the definitions are from [3] . 



Message 


T 


::= !(p,C7) 


message send 






1 ®<P,0 


message selection 






| T;T' 


message sequence 


Generalised 


T 


::= T 


session 






1 T 


message 






T; T 


continuation 



Message types are the types for queues: they represent the messages contained in the 
queues. The message send type !(p, U) expresses the communication to p of a value or 
of a channel of type U. The message selection type ®(p,0 represents the communication 
to participant p of the label I and T; T 7 represents sequencing of message types (we assume 
associativity for ;). For example ©(l,ok) is the message type for the message (2,1, ok). 
A generalised type is either a session type, or a message type, or a message type followed 
by a session type. Type T; T represents the continuation of the type T associated to a 
queue with the type T associated to a pure process. An example of generalised type is 
0(1, ok); !(3, string); 7(3, date); end. 
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In order to take into account the structural congruence between queues (see Figure [7} 
we consider message types modulo the equivalence relation w induced by the rules shown 
as follows (with \ £ {!, ©} and Z G {U, I}): 

^<p,Z); ll / <q,Z);T« \\'(q,Z); \\(p,Z);T if p + q 
The equivalence relation on message types extends to generalised types by: 

T ~ T' implies T; T w T ; T 

We say that two session environments A and A' are equivalent (notation A w A') if 
c : T 6 A and T ^ end imply c : T' € A' with T w T' and vice versa. This equivalence 
relation is used in rule [EquivJ (see Figure l22j) . 



rhP>A rh s p>A Aw A' rh s p>A a < a' 

LGInitJ L E Q UIV J L SuBS J 



rh 8 p>A " rh E p>A' " ' ' ~ r h s p > a' 

rh s PoA Th^Q>A f SnS' = rh s P>A co(A,s) 

IGParI LGSResJ 

r I-sue' P I Q t> A * A' rh E \ s (i/s)Pi>A\s 

Figure 22: Run-time process typing 

We start by defining the typing rules for single queues, in which the turnstile h is 
decorated with {s} (where s is the session name of the current queue) and the session 
environments are mappings from channels to message types. The empty queue has empty 
session environment. Each message adds an output type to the current type of the channel 
which has the role of the message sender. Figure [23] lists the typing rules for queues, where 
; is defined by: 

A;{.*]:T}4 A '* |:T ' ;T ifA = A '^ :T ' 

I A, s[q] : T otherwise. 
For example we can derive h| s } s : (3, 1,0k) > {s[l] : ®(l,ok)}. 

r h Env 

LQInitJ 



T h{ s } s : e>i 

Th {s} s:h>A Thv.S 
r h {s} s:h - (q,p,u) A;{s[q] : Kp,^)} 

[QDelegJ 



LQSendJ 



r h| s } s : h > A 



r h {s} s:h- (q,p, S / [ P / ])> A, S '[p'] = T';{ S [q] : !(p,T')} 

T h| s } s : /i > A j £ K 
r h {s} s : /i • (q, p, lj) > A; {s[q] : ©(p, {/ fc : Tfc} fce x>} 



LQSelJ 



Figure 23: Queue typing 



PARAMETERISED MULTIPARTY SESSION TYPES 
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In order to type pure processes in parallel with queues, we need to use generalised 
types in session environments and further typing rules. Figure [22] lists the typing rules for 
processes containing queues. The judgement r FoA means that P contains the queues 
whose session names are in E. Rule [GInitJ promotes the typing of a pure process to the 
typing of an arbitrary process, since a pure process does not contain queues. When two 
arbitrary processes are put in parallel (rule LGParJ) we need to require that each session 
name is associated to at most one queue (condition S n S' = 0). In composing the two 
session environments we want to put in sequence a message type and a session type for the 
same channel with role. For this reason we define the composition * between generalised 
types as: 



where _L represents failure of typing. 

We extend * to session environments as expected: 

A * A' = A\dom(A') U A'\dom(A) U{c:T*T' | c:Te A & c: T's A'}. 

Note that * is commutative, i.e., A * A' = A' * A. Also if we can derive message types only 
for channels with roles, we consider the channel variables in the definition of * for session 
environments since we want to get for example {y : end} * {y : end} = _L (message types 
do not contains end). 

In rule [GSResJ we require the coherence of the session environment A with respect 
to the session name s to be restricted (notation co(A,s)). This coherence is denned in 
Definition 14.31 using the notions of projection of generalised types and of duality, introduced 
respectively in Definitions IB. II and IB. 21 

Definition B.l. The projection of the generalised local type T onto q, denoted by T \ q, is 
defined by: 




T; T' if T is a message type, 
T'; T if T' is a message type, 
_L otherwise 
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Definition B.2. The duality relation between projections of generalised types is the mini- 
mal symmetric relation which satisfies: 

end x end x x x TmT' => fix.T x fix.T' 
TmT => !£/;Tx?£/;T 
Vi G I Ti x T[ ©{4 : Ti}^/ x : 7V} ieJ 
3z € J / = /i h T x Tj => ©/; T x k{k : Ti} ieI 
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